2024-09-28 19:24:43 -04:00
9 changed files with 49 additions and 73 deletions
--- a/dom0.sh
+++ b/dom0.sh
@ -30,18 +30,18 @@ qvm-service --enable work qubes-u2f-proxy

 echo "QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment

-#O bviously replace vault with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/
+#Obviously replace vault with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/
 echo "emails  vault allow" | sudo tee /etc/qubes-rpc/policy/qubes.Gpg
 echo "@anyvm  @anyvm  ask,default_target=vault" | sudo tee -a /etc/qubes-rpc/policy/qubes.Gpg

-# Same thing, but for split SSH. No default allow here because here though because there will not be a timeout or anything like that.
+#Same thing, but for split SSH. No default allow here because here though because there will not be a timeout or anything like that.
 echo "@anyvm  @anyvm ask,default_target=vault" | sudo tee /etc/qubes-rpc/policy/qubes.SshAgent

-# Enabling VMAuth - if you want to get the prompt you will still need to configure the guest VMs tho
+#Enabling VMAuth - if you want to get the prompt you will still need to configure the guest VMs tho
 echo "/usr/bin/echo 1" | sudo tee /etc/qubes-rpc/qubes.VMAuth
 sudo chmod u+x /etc/qubes-rpc/qubes.VMAuth
 echo "@anyvm dom0 ask,default_target=dom0" | sudo tee /etc/qubes-rpc/policy/qubes.VMAuth

-# Enabling discard and fstrim
+#Enabling discard and fstrim
 sudo sed -i 's/issue_discards = 0/issue_discards = 1/g' /etc/lvm/lvm.conf
 sudo systemctl enable fstrim.timer
--- a/fedora-minimal/sys-net.sh
+++ b/fedora-minimal/sys-net.sh
@ -21,11 +21,11 @@ rm -rf /etc/chrony.conf
 curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf
 systemctl enable --now chronyd

-# Switch DNSSEC to default / allow-downgrade, as there is no guaranteee that the DNS server obtained via DHCP supports DNSSEC.
+#Switch DNSSEC to default / allow-downgrade, as there is no guaranteee that the DNS server obtained via DHCP supports DNSSEC.
 sed -i 's/DNSSEC=yes/#DNSSEC=false/g' /etc/systemd/resolved.conf
 systemctl restart systemd-resolved

-# Theming
+#Theming

 sudo mkdir -p /etc/gtk-3.0
 echo '[Settings]
--- a/fedora/fedora.sh
+++ b/fedora/fedora.sh
@ -9,32 +9,32 @@ sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-files
 # Remove Network + hardware tools packages
 sudo dnf -y remove '*cups' nmap-ncat nfs-utils nmap-ncat openssh-server net-snmp-libs net-tools opensc traceroute rsync tcpdump teamd geolite2* mtr dmidecode sgpio

-# Remove support for some languages and spelling
+#Remove support for some languages and spelling
 sudo dnf -y remove ibus-typing-booster '*speech*' '*zhuyin*' '*pinyin*' '*kkc*' '*m17n*' '*hangul*' '*anthy*' words

-# Remove codec + image + printers
+#Remove codec + image + printers
 sudo dnf -y remove openh264 ImageMagick* sane* simple-scan

-# Remove Active Directory + Sysadmin + reporting tools
+#Remove Active Directory + Sysadmin + reporting tools
 sudo dnf -y remove 'sssd*' realmd adcli cyrus-sasl-plain cyrus-sasl-gssapi mlocate quota* dos2unix kpartx sos abrt samba-client gvfs-smb

-# Remove vm and virtual stuff
+#Remove vm and virtual stuff
 sudo dnf -y remove 'podman*' '*libvirt*' 'open-vm*' qemu-guest-agent 'hyperv*' spice-vdagent virtualbox-guest-additions vino xorg-x11-drv-vmware xorg-x11-drv-amdgpu
 sudo dnf autoremove -y

-# Remove NetworkManager
+#Remove NetworkManager
 sudo dnf -y remove NetworkManager-pptp-gnome NetworkManager-ssh-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-vpnc-gnome ppp* ModemManager

-# Remove Gnome apps
+#Remove Gnome apps
 sudo dnf remove -y gnome-photos gnome-connections gnome-tour gnome-themes-extra gnome-screenshot gnome-remote-desktop gnome-font-viewer gnome-calculator gnome-calendar gnome-contacts \
    gnome-maps gnome-weather gnome-logs gnome-boxes gnome-disk-utility gnome-clocks gnome-color-manager gnome-characters baobab totem \
    gnome-shell-extension-background-logo gnome-shell-extension-apps-menu gnome-shell-extension-launch-new-instance gnome-shell-extension-places-menu gnome-shell-extension-window-list \
    gnome-classic* gnome-user* gnome-text-editor chrome-gnome-shell eog

-# Remove apps
+#Remove apps
 sudo dnf remove -y rhythmbox yelp evince libreoffice* cheese file-roller* mediawriter

-# Remove other packages
+#Remove other packages
 sudo dnf remove -y lvm2 rng-tools thermald '*perl*' yajl

 # Disable openh264 repo
@ -57,11 +57,11 @@ curl --proxy http://127.00.1:8082 https://raw.githubusercontent.com/Kicksecure/s
 sudo mkdir -p /etc/systemd/system/ModemManager.service.d
 curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/divestedcg/Brace/master/brace/usr/lib/systemd/system/ModemManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/ModemManager.service.d/99-brace.conf

-# Setup SSH client
+#Setup SSH client
 echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
 echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf

-# Force DNSSEC
+#Force DNSSEC
 sudo sed -i 's/#DNSSEC=no/DNSSEC=yes/g' /etc/systemd/resolved.conf
 sudo systemctl restart systemd-resolved

@ -78,7 +78,7 @@ automount-open=false" | sudo tee /etc/dconf/db/local.d/custom

 sudo dconf update

-# Flatpak update service
+#Flatpak update service

 echo "[Unit]
 Description=Update user Flatpaks
--- a/fedora/mullvad.sh
+++ b/fedora/mullvad.sh
@ -19,6 +19,6 @@ sudo tee /etc/qubes-bind-dirs.d/50_user.conf << EOF > /dev/null
 binds+=( '/etc/mullvad-vpn' )
 EOF

-# Run these in the AppVM:
-# echo "sleep 10 # Waiting a bit so that Mullvad can establish connection
-# /usr/lib/qubes/qubes-setup-dnat-to-ns" | sudo tee -a /rw/config/rc.local
+#Run these in the AppVM:
+#echo "sleep 10 # Waiting a bit so that Mullvad can establish connection
+#/usr/lib/qubes/qubes-setup-dnat-to-ns" | sudo tee -a /rw/config/rc.local
--- a/kicksecure/element.sh
+++ b/kicksecure/element.sh
@ -19,5 +19,5 @@ echo "deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] https:/
 sudo apt update
 sudo apt install --no-install-recommends element-desktop -y

-# Adding a DNS entry for my Matrix server here so I can add a Firewall rule locking the AppVM to only being able to connect to my server.
+#Adding a DNS entry for my Matrix server here so I can add a Firewall rule locking the AppVM to only being able to connect to my server.
 echo "5.226.143.168 matrix.arcticfoxes.net" | sudo tee -a /etc/hosts
--- a/kicksecure/kicksecure.sh
+++ b/kicksecure/kicksecure.sh
@ -14,56 +14,48 @@
 # License for the specific language governing permissions and limitations under
 # the License.

-unpriv(){
-  sudo -u nobody "$@"
-}
-
-# Avoid phased updates
-unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
-sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
-
-# Adding KickSecure's signing key
+#Adding KickSecure's signing key
 curl --proxy http://127.0.0.1:8082/ --tlsv1.3 --proto =https --max-time 180 --output ~/derivative.asc https://www.kicksecure.com/derivative.asc
 sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
 echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
 sudo apt update

-# Debloat
+#Debloat
 sudo apt purge -y thunderbird emacs emacs-gtk emacs-bin-common emacs-common firefox* keepassxc cups* system-config-printer* xsettingsd yelp*
 sudo apt autoremove -y
 sudo apt autoclean

-# Distribution morphing
+#Distribution morphing
 sudo apt install --no-install-recommends kicksecure-qubes-cli gnome-settings-daemon -y
 sudo apt autoremove -y
 sudo mv /etc/apt/sources.list ~/
 sudo touch /etc/apt/sources.list

-#E nabling SUID Disabler and Permission Hardener
+#Enabling SUID Disabler and Permission Hardener
 sudo systemctl enable --now permission-hardening

-# Enable hardened malloc
+#Enable hardened malloc
 echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload

-# Restrict /proc and access
+#Restrict /proc and access
 sudo systemctl enable --now proc-hidepid.service

-# educe kernel information leaks
-# Will break a lot of applications. The apps I use on KickSecure work fine with it so I am enabling it.
+#Reduce kernel information leaks
+#Will break a lot of applications. The apps I use on KickSecure work fine with it so I am enabling it.
 sudo systemctl enable --now hide-hardware-info.service

-# Install packages
+#Install packages
 sudo apt install --no-install-recommends tirdad qubes-gpg-split qubes-u2f eog qt5ct qt5-style-plugins arc-theme -y

-# Setup SSH client
+#Setup SSH client
 echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
 echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf

-# Force DNSSEC
+#Force DNSSEC
 sudo sed -i 's/#DNSSEC=no/DNSSEC=yes/g' /etc/systemd/resolved.conf
 sudo systemctl restart systemd-resolved

-# Theming
+#Theming

 echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment

@ -76,7 +68,7 @@ automount-open=false" | sudo tee /etc/dconf/db/local.d/custom

 sudo dconf update

-# Flatpak update service
+#Flatpak update service

 echo "[Unit]
 Description=Update user Flatpaks
--- a/kicksecure/lokinet.sh
+++ b/kicksecure/lokinet.sh
@ -18,7 +18,7 @@
 #The AppVM needs to be granted the network-manager service
 #There is a risk of leaks because I dont see any killswitch being implemented

-# Disabling the Arc icon theme here because it looks bad on the systray
+#Disabling the Arc icon theme here because it looks bad on the systray
 sudo rm -rf /usr/share/icons/Arc

 echo "[Settings]
@ -30,7 +30,7 @@ gtk-theme-name=Arc-Dark
 gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-4.0/settings.ini


-# Actual Installtion
+#Actual Installtion
 curl --proxy http://127.0.0.1:8082 | sudo tee /etc/apt/trusted.gpg.d/oxen.gpg https://deb.oxen.io/pub.gpg
 echo "deb https://deb.oxen.io $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/oxen.list
 curl --proxy http://127.0.0.1:8082 | sudo tee /usr/share/keyrings/brave-browser-archive-keyring.gpg https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg
--- a/whonix/whonix-gw.sh
+++ b/whonix/whonix-gw.sh
@ -14,28 +14,20 @@
 # License for the specific language governing permissions and limitations under
 # the License.

-unpriv(){
-  sudo -u nobody "$@"
-}
-
-# Avoid phased updates
-unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
-sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
-
-# Install packages
+#Install packages
 sudo apt install --no-install-recommends tirdad qt5ct qt5-style-plugins arc-theme -y

-# Enabling SUID Disabler and Permission Hardener
+#Enabling SUID Disabler and Permission Hardener
 sudo systemctl enable --now permission-hardening

-# Enable hardened malloc
+#Enable hardened malloc
 echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload

-# Restrict /proc and access
+#Restrict /proc and access
 sudo systemctl enable --now proc-hidepid.service

-# Reduce kernel information leaks
-# Will break a lot of applications. The apps I use on Whonix work fine with it so I am enabling it.
+#Reduce kernel information leaks
+#Will break a lot of applications. The apps I use on Whonix work fine with it so I am enabling it.
 sudo systemctl enable --now hide-hardware-info.service

 echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment
--- a/whonix/whonix-ws.sh
+++ b/whonix/whonix-ws.sh
@ -14,31 +14,23 @@
 # License for the specific language governing permissions and limitations under
 # the License.

-unpriv(){
-  sudo -u nobody "$@"
-}
-
-# Avoid phased updates
-unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
-sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
-
-# Install packages
+#Install packages
 sudo apt install --no-install-recommends tirdad qt5ct qt5-style-plugins arc-theme git -y

-# Enabling SUID Disabler and Permission Hardener
+#Enabling SUID Disabler and Permission Hardener
 sudo systemctl enable --now permission-hardening

-# Enable hardened malloc
+#Enable hardened malloc
 echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload

-# Restrict /proc and access
+#Restrict /proc and access
 sudo systemctl enable --now proc-hidepid.service

-# Reduce kernel information leaks
-# Will break a lot of applications. The apps I use on Whonix work fine with it so I am enabling it.
+#Reduce kernel information leaks
+#Will break a lot of applications. The apps I use on Whonix work fine with it so I am enabling it.
 sudo systemctl enable --now hide-hardware-info.service

-# Theming
+#Theming

 echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment