1
0
mirror of https://github.com/tommytran732/QubesOS-Scripts synced 2024-11-23 02:01:32 -05:00

Compare commits

..

No commits in common. "ca3835cb6887c47a5fff18c5f01e698022153b5f" and "1fbe586041692deb835cff64be5f3c3241e7fb9e" have entirely different histories.

5 changed files with 27 additions and 70 deletions

View File

@ -1,9 +0,0 @@
[Unit]
Description=Run /usr/lib/qubes/qubes-setup-dnat-to-ns when /etc/resolv.conf changes
[Path]
PathChanged=/etc/resolv.conf
Unit=dnat-to-ns.service
[Install]
WantedBy=multi-user.target

View File

@ -1,6 +0,0 @@
[Unit]
Description=Run /usr/lib/qubes/qubes-setup-dnat-to-ns
[Service]
Type=oneshot
ExecStart=/usr/lib/qubes/qubes-setup-dnat-to-ns

View File

@ -14,10 +14,6 @@
# License for the specific language governing permissions and limitations under # License for the specific language governing permissions and limitations under
# the License. # the License.
# Note: Qubes does something that makes the umask for root stay at 022. Need to debug. The umask commands are unnecessary for now.
umask 022
# Install Edge
echo '[microsoft-edge] echo '[microsoft-edge]
name=microsoft-edge name=microsoft-edge
baseurl=https://packages.microsoft.com/yumrepos/edge/ baseurl=https://packages.microsoft.com/yumrepos/edge/
@ -29,26 +25,4 @@ sudo dnf install -y microsoft-edge-stable
sudo mkdir -p /etc/opt/edge/policies/managed/ /etc/opt/edge/policies/recommended/ sudo mkdir -p /etc/opt/edge/policies/managed/ /etc/opt/edge/policies/recommended/
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/managed.json | sudo tee /etc/opt/edge/policies/managed/managed.json curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/managed.json | sudo tee /etc/opt/edge/policies/managed/managed.json
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/recommended.json | sudo tee /etc/opt/edge/policies/managed/recommended.json curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/recommended.json | sudo tee /etc/opt/edge/policies/managed/recommended.json
# Work around for Edge audio bug
sudo dnf install -y pulseaudio-utils
echo '[Unit]
Description=Run pactl to work around edge audio bug
After=pipewire-pulse.socket
Requires=pipewire-pulse.socket
[Service]
Type=oneshot
ExecStart=/usr/bin/pactl info
[Install]
WantedBy=default.target' | sudo tee /etc/systemd/user/pactl.service
umask 077
# Run `systemctl --user enable --now pactl.service` in your appVM.
# For some uncomprehensible reason, manually enabling pipewire-pulse.service will not work for Edge audio.
# /rw/home/user is broken: https://forum.qubes-os.org/t/how-does-rw-home-user-directory-work/15602
# Using preset doesn't actually work either

View File

@ -23,7 +23,6 @@ sudo systemctl mask debug-shell.service
sudo systemctl mask kdump.service sudo systemctl mask kdump.service
# Setting umask to 077 # Setting umask to 077
# Note: Qubes does something here that makes the umask for root stay at 022. Need to debug.
umask 077 umask 077
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
echo 'umask 077' | sudo tee -a /etc/bashrc echo 'umask 077' | sudo tee -a /etc/bashrc
@ -68,10 +67,20 @@ unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Tomm
sudo dconf update sudo dconf update
umask 077 umask 077
# Setup DNF # Flatpak update service
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.service | sudo tee /etc/systemd/user/update-user-flatpaks.service
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/* unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer | sudo tee /etc/systemd/user/update-user-flatpaks.timer
# Setup networking
# We don't need the usual mac address randomization and stuff here, because this template is not used for sys-net
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
unpriv curl --proxy http://127.0.0.1:8082 https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
# Fix GNOME environment variable
echo 'XDG_CURRENT_DESKTOP=GNOME' | sudo tee -a /etc/environment
# We do the dnf tasks last, because dnf will break after we configure https repos and we need a reboot to fix it.
# Mark packages as manualy installed to avoid removal # Mark packages as manualy installed to avoid removal
sudo dnf mark install flatpak gnome-menus qubes-menus sudo dnf mark install flatpak gnome-menus qubes-menus
@ -116,13 +125,9 @@ sudo dnf remove -y lvm2 rng-tools thermald '*perl*'
sudo dnf config-manager --set-disabled fedora-cisco-openh264 sudo dnf config-manager --set-disabled fedora-cisco-openh264
# Install custom packages # Install custom packages
# gnome-shell is needed for theming to work # gnome-session is needed for theming to work
sudo dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme ncurses gnome-console gnome-shell sudo dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme ncurses gnome-console gnome-shell
# Flatpak update service
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.service | sudo tee /etc/systemd/user/update-user-flatpaks.service
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer | sudo tee /etc/systemd/user/update-user-flatpaks.timer
# Setup hardened_malloc # Setup hardened_malloc
sudo dnf -y install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' sudo dnf -y install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm'
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
@ -130,12 +135,7 @@ sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-releas
sudo dnf -y install hardened_malloc sudo dnf -y install hardened_malloc
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
# Setup networking # Setup DNF
# We don't need the usual mac address randomization and stuff here, because this template is not used for sys-net unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
# This breaks saving network settings with the Fedora 40 template rn, so I am commenting it out. sudo sed -i 's/&protocol=https//g' /etc/yum.repos.d/divested-release.repo
#sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
#unpriv curl --proxy http://127.0.0.1:8082 https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
# Fix GNOME environment variable
echo 'XDG_CURRENT_DESKTOP=GNOME' | sudo tee -a /etc/environment

View File

@ -14,17 +14,15 @@
# License for the specific language governing permissions and limitations under # License for the specific language governing permissions and limitations under
# the License. # the License.
unpriv(){
sudo -u nobody "$@"
}
sudo dnf config-manager --add-repo https://repository.mullvad.net/rpm/stable/mullvad.repo sudo dnf config-manager --add-repo https://repository.mullvad.net/rpm/stable/mullvad.repo
sudo dnf install -y mullvad-vpn sudo dnf install mullvad-vpn
sudo systemctl enable mullvad-daemon
sudo mkdir -p /etc/qubes-bind-dirs.d sudo mkdir -p /etc/qubes-bind-dirs.d
echo 'binds+=( '\'''/etc/mullvad-vpn''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf sudo tee /etc/qubes-bind-dirs.d/50_user.conf << EOF > /dev/null
binds+=( '/etc/mullvad-vpn' )
EOF
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns.service | sudo tee /etc/systemd/system/dnat-to-ns.service # Run these in the AppVM:
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns.path | sudo tee /etc/systemd/system/dnat-to-ns.path # echo "sleep 10 # Waiting a bit so that Mullvad can establish connection
# /usr/lib/qubes/qubes-setup-dnat-to-ns" | sudo tee -a /rw/config/rc.local
sudo systemctl enable dnat-to-ns.path