Tomster/QubesOS-Scripts
1
0
Fork 0
mirror of https://github.com/tommytran732/QubesOS-Scripts synced 2025-02-20 18:21:34 -05:00
Code

Compare commits

base: Tomster:f6d92c89217ccc09db2ef3a00a8e0959fd68bffb
Branches Tags
Tomster:main
..
compare: Tomster:40f06239e90daca07e7e7c73d4aaffe784b73e3e
Branches Tags
Tomster:main

7 Commits
f6d92c8921 ... 40f06239e9

Author SHA1 Message Date
Tommy
40f06239e9
Typo Fix 
Signed-off-by: Tommy <contact@tommytran.io>
 2024-12-25 06:30:05 -07:00
Tommy
12c9cbc250
Allow discards 2024-12-25 06:23:11 -07:00
Tommy
808977f10b
Update dnf-config commands to dnf5 2024-12-25 05:59:51 -07:00
Tommy
ea20334cd4
Fix NetworkManager hardening 2024-12-25 05:24:11 -07:00
Tommy
742a5ea93d
Fix Shellcheck 2024-12-25 02:45:45 -07:00
Tommy
fdcaf6ef28
Fedora GNOME 41 & remove gnome-system-monitor 2024-12-25 02:44:15 -07:00
Tommy
50f13f3792
Add NetworkManager hardening fix 2024-12-25 02:42:39 -07:00
9 changed files with 26 additions and 23 deletions
Show Stats Expand all files Collapse all files

10
Thinkpad P53.md
View File

@ -166,7 +166,7 @@ Do `ls /dev/disk/by-id` to check the serial numbers and find the correct drive.
sudo fdisk /dev/nvme0n1 sudo fdisk /dev/nvme0n1
[Make 2 partitions. The first one with 1G and the second one with the remaining space.] [Make 2 partitions. The first one with 1G and the second one with the remaining space.]
sudo cryptsetup luksFormat /dev/nvme0n1p2 sudo cryptsetup luksFormat /dev/nvme0n1p2
sudo cryptsetup open /dev/nvme0n1p2 cryptroot sudo cryptsetup open --allow-discards --persistent /dev/nvme0n1p2 cryptroot
sudo mkfs.btrfs --csum blake2b -L qubes_dom0 /dev/mapper/cryptroot sudo mkfs.btrfs --csum blake2b -L qubes_dom0 /dev/mapper/cryptroot
``` ```
@ -213,9 +213,9 @@ Reboot to apply the changes.
### Redundant VM storage ### Redundant VM storage
Make encrypted partition `/dev/nvme1n1p1` as `cryptdata1` and `/dev/nvme2n1p1` as `cryptdata2`. If the same passphrase as `/dev/nvme0n1p1` is used for encryption, all 3 drives will be unlocked with just 1 prompt during boot. Make encrypted partition `/dev/nvme1n1p1` and `/dev/nvme2n1p1`. If the same passphrase as `/dev/nvme0n1p1` is used for encryption, all 3 drives will be unlocked with just 1 prompt during boot.
To get the filesystem UUID of `cryptdata1` and `cryptdata2`, run To get the filesystem UUIDs of of the 2 CRYPTO_LUKS filesystems, run
```bash ```bash
lsblk -o NAME,UUID lsblk -o NAME,UUID
@ -237,7 +237,9 @@ sudo dracut --regenerate-all --force
Make the new RAID 1 BTRFS filesystem: Make the new RAID 1 BTRFS filesystem:
```bash ```bash
sudo mkfs.btrfs --csum blake2b -m raid 1 -d /dev/mapper/cryptdata1 /dev/mapper/cryptdata2 sudo cryptsetup --allow-discards --persistent open /dev/nvme1n1p1 cryptdata1
sudo cryptsetup --allow-discards --persistent open /dev/nvme2n1p1 cryptdata2
sudo mkfs.btrfs --csum blake2b -m raid1 -d raid1 /dev/mapper/cryptdata1 /dev/mapper/cryptdata2
``` ```
**Take note of the UUID**. **Take note of the UUID**.

2
debian-gnome/debian-gnome.sh
View File

@ -72,7 +72,7 @@ sudo apt autoremove -y
# Debloat # Debloat
# Remove unnecessary stuff from the Qubes template # Remove unnecessary stuff from the Qubes template
sudo apt purge -y gnome-software thunderbird keepassxc sudo apt purge -y gnome-software gnome-system-monitor thunderbird keepassxc
# Remove Network + hardware tools packages # Remove Network + hardware tools packages
sudo apt purge -y avahi* cups* '*nfs*' rygel '*smtp*' system-config-printer* '*telnet*' sudo apt purge -y avahi* cups* '*nfs*' rygel '*smtp*' system-config-printer* '*telnet*'

4
dom0.sh
View File

@ -38,8 +38,8 @@ sudo chmod +x /etc/qubes-rpc/qubes.VMAuth
# Set qvm-features # Set qvm-features
# Run these after you have installed the fedora-40 and debian-12 templates # Run these after you have installed the fedora-40 and debian-12 templates
# sudo qvm-features fedora-40 default-menu-items 'org.gnome.Nautilus.desktop org.gnome.Ptyxis.desktop' # sudo qvm-features fedora-41 default-menu-items 'org.gnome.Nautilus.desktop org.gnome.Ptyxis.desktop'
# sudo qvm-features fedora-40 netvm-menu-items 'org.gnome.Ptyxis.desktop' # sudo qvm-features fedora-41 netvm-menu-items 'org.gnome.Ptyxis.desktop'
# sudo qvm-features debian-12 default-menu-items 'org.gnome.Console.desktop org.gnome.Nautilus.desktop' # sudo qvm-features debian-12 default-menu-items 'org.gnome.Console.desktop org.gnome.Nautilus.desktop'
# sudo qvm-features debian-12 netvm-menu-items 'org.gnome.Console.desktop' # sudo qvm-features debian-12 netvm-menu-items 'org.gnome.Console.desktop'

19
fedora-gnome/fedora-gnome.sh
View File

@ -83,9 +83,10 @@ download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc
# Setup networking # Setup networking
# We don't need the usual mac address randomization and stuff here, because this template is not used for sys-net # We don't need the usual mac address randomization and stuff here, because this template is not used for sys-net
# This breaks saving network settings with the Fedora 40 template rn, so I am commenting it out. sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
#sudo mkdir -p /etc/systemd/system/NetworkManager.service.d download https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf /etc/systemd/system/NetworkManager.service.d/99-brace.conf
#unpriv curl --proxy http://127.0.0.1:8082 https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf sudo sed -i 's@ReadOnlyPaths=/etc/NetworkManager@#ReadOnlyPaths=/etc/NetworkManager@' /etc/systemd/system/NetworkManager.service.d/99-brace.conf
sudo sed -i 's@ReadWritePaths=-/etc/NetworkManager/system-connections@#ReadWritePaths=-/etc/NetworkManager/system-connections@' /etc/systemd/system/NetworkManager.service.d/99-brace.conf
# Disable GJS and WebkitGTK JIT # Disable GJS and WebkitGTK JIT
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/environment /etc/environment download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/environment /etc/environment
@ -94,16 +95,16 @@ download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main
echo ' echo '
XDG_CURRENT_DESKTOP=GNOME' | sudo tee -a /etc/environment XDG_CURRENT_DESKTOP=GNOME' | sudo tee -a /etc/environment
# Moving DNF handownloading to the bottom as the Qubes template just breaks when repos are changed and needs a reboot to fix # Moving DNF handling to the bottom as the Qubes template just breaks when repos are changed and needs a reboot to fix
# Mark packages as manualy installed to avoid removal
sudo dnf mark install flatpak gnome-menus qubes-menus
# Remove unwanted groups # Remove unwanted groups
sudo dnf -y group remove 'Container Management' 'Desktop accessibility' 'Firefox Web Browser' 'Guest Desktop Agents' 'LibreOffice' 'Printing Support' sudo dnf -y group remove 'Container Management' 'Desktop accessibility' 'Firefox Web Browser' 'Guest Desktop Agents' 'LibreOffice' 'Printing Support'
# Remove unnecessary stuff from the Qubes template # Remove unnecessary stuff from the Qubes template
sudo dnf -y remove gnome-software httpd keepassxc thunderbird sudo dnf -y remove gnome-software gnome-system-monitor amd-ucode-firmware '*gpu*' httpd keepassxc thunderbird
# Remove unnecessary stuff from the Fedora-41 template (will be split into whats in the qubes template and whats upstream later)
sudo dnf -y remove c-ares hiredis
# Remove firefox packages # Remove firefox packages
sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem
@ -141,7 +142,7 @@ sudo dnf config-manager --set-disabled fedora-cisco-openh264
# Install custom packages # Install custom packages
# gnome-shell is needed for theming to work # gnome-shell is needed for theming to work
sudo dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme ncurses gnome-shell ptyxis sudo dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme flatpak ncurses gnome-shell
# Setup hardened_malloc # Setup hardened_malloc
sudo https_proxy=127.0.0.1:8082 dnf copr enable secureblue/hardened_malloc -y sudo https_proxy=127.0.0.1:8082 dnf copr enable secureblue/hardened_malloc -y

2
fedora-gnome/hardened-chromium.sh
View File

@ -25,7 +25,7 @@ download() {
} }
sudo https_proxy=127.0.0.1:8082 dnf copr enable secureblue/hardened-chromium -y sudo https_proxy=127.0.0.1:8082 dnf copr enable secureblue/hardened-chromium -y
sudo dnf config-manager --enable fedora-cisco-openh264 rpmfusion-free rpmfusion-free-updates rpmfusion-nonfree rpmfusion-nonfree-updates sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1
sudo dnf install -y ffmpeg hardened-chromium sudo dnf install -y ffmpeg hardened-chromium
sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin

2
fedora-gnome/ivpn.sh
View File

@ -24,7 +24,7 @@ download() {
unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
} }
sudo dnf config-manager --add-repo https://repo.ivpn.net/stable/fedora/generic/ivpn.repo sudo dnf config-manager addrepo --from-repofile=https://repo.ivpn.net/stable/fedora/generic/ivpn.repo
sudo dnf install -y ivpn-ui sudo dnf install -y ivpn-ui
umask 022 umask 022

2
fedora-gnome/media.sh
View File

@ -24,6 +24,6 @@ download() {
unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
} }
sudo dnf config-manager --enable fedora-cisco-openh264 rpmfusion-free rpmfusion-free-updates rpmfusion-nonfree rpmfusion-nonfree-updates sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1
sudo dnf upgrade -y sudo dnf upgrade -y
sudo dnf install -y ffmpeg yt-dlp sudo dnf install -y ffmpeg yt-dlp

4
fedora-gnome/mullvad-browser.sh
View File

@ -24,8 +24,8 @@ download() {
unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
} }
sudo dnf config-manager --add-repo https://repository.mullvad.net/rpm/stable/mullvad.repo sudo dnf config-manager addrepo --from-repofile=https://repository.mullvad.net/rpm/stable/mullvad.repo
sudo dnf config-manager --enable fedora-cisco-openh264 rpmfusion-free rpmfusion-free-updates rpmfusion-nonfree rpmfusion-nonfree-updates sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1
# Install the package # Install the package
sudo dnf install -y ffmpeg mullvad-browser sudo dnf install -y ffmpeg mullvad-browser

2
fedora-gnome/mullvad.sh
View File

@ -24,7 +24,7 @@ download() {
unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
} }
sudo dnf config-manager --add-repo https://repository.mullvad.net/rpm/stable/mullvad.repo sudo dnf config-manager addrepo --from-repofile=https://repository.mullvad.net/rpm/stable/mullvad.repo
sudo dnf install -y mullvad-vpn sudo dnf install -y mullvad-vpn
umask 022 umask 022