This commit is contained in:
Tommy 2022-05-26 00:58:21 -04:00 committed by GitHub
parent f5c8a68cc3
commit 2b024242ef
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 15 additions and 21 deletions

View File

@ -4,4 +4,7 @@ My scripts for setting up QubesOS. Read the scripts and adjust them to your need
1. Run dom0.sh script to set up dom0 1. Run dom0.sh script to set up dom0
2. Download the Fedora Minimal template and use the fedora-minimal.sh script to do basic configuration. Then, create TemplateVMs based on it. The most important thing here is that you replace sys-net and sys-firewall with a minimal version for attack surface reduction. I have been trying to create a minimal template for ProtonVPN, but haven't been able to so far. Any help with this would be appreciated. 2. Download the Fedora Minimal template and use the fedora-minimal.sh script to do basic configuration. Then, create TemplateVMs based on it. The most important thing here is that you replace sys-net and sys-firewall with a minimal version for attack surface reduction. I have been trying to create a minimal template for ProtonVPN, but haven't been able to so far. Any help with this would be appreciated.
3. Run the fedora.sh script to trim down the default Fedora template and do basic configuration. The script includes a systemd user timer `update-user-flatpaks.timer` that you can manually enable on AppVMs. Firefox is also replaced with Brave. Other TemplateVMs should be based on the trimmed down Fedora template. 3. Run the fedora.sh script to trim down the default Fedora template and do basic configuration. The script includes a systemd user timer `update-user-flatpaks.timer` that you can manually enable on AppVMs. Firefox is also replaced with Brave. Other TemplateVMs should be based on the trimmed down Fedora template.
4. Run the whonix_hardening.sh script on both the Whonix Gateway and Workstation templates to enable experimental hardening features. 4. Copy the Fedora template to a Brave template. Run brave.sh to install brave in the brave template. TemplateVMs which need a dedicated browser should be based on the Brave template of the Fedora template. Create a disposable VM based on the Brave template. When you need to open a browser inside of a VM with no browser, Qubes will open it in a disposable VM instead.
5. Run debian.sh to trim down the Debian template.
6. Copy the Debian template to a Kicksecure template, then run kicksecure.sh to morph it into Kicksecure. AppVMs should be based on KickSecure instead of Debian.
7. Run the kicksecure_hardening.sh script on both the Whonix Gateway and Workstation templates to enable experimental hardening features. The same script can be used to harden AppVMs based on KickSecure too, so long as it doesn't stop your app from running.

5
debian/debian.sh vendored
View File

@ -3,9 +3,6 @@
sudo apt purge -y thunderbird emacs emacs-gtk emacs-bin-common emacs-common firefox* keepassxc cups* vim* system-config-printer* xsettingsd xterm* yelp* sudo apt purge -y thunderbird emacs emacs-gtk emacs-bin-common emacs-common firefox* keepassxc cups* vim* system-config-printer* xsettingsd xterm* yelp*
sudo apt autoremove -y sudo apt autoremove -y
sudo apt autoclean sudo apt autoclean
sudo curl --proxy http://127.0.0.1:8082 -fsSLo /usr/share/keyrings/brave-browser-archive-keyring.gpg https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg arch=amd64] https://brave-browser-apt-release.s3.brave.com/ stable main"|sudo tee /etc/apt/sources.list.d/brave-browser-release.list
sudo apt install -y qt5ct qt5-style-plugins arc-theme sudo apt install -y qt5ct qt5-style-plugins arc-theme
git config --global http.proxy http://127.0.0.1:8082 git config --global http.proxy http://127.0.0.1:8082
@ -31,4 +28,4 @@ sudo cat > /etc/dconf/db/local.d/custom <<- 'EOF'
[org/gnome/desktop/interface] [org/gnome/desktop/interface]
gtk-theme='Arc-Dark' gtk-theme='Arc-Dark'
icon-theme='Arc' icon-theme='Arc'
EOF EOF

11
dom0.sh
View File

@ -1,25 +1,16 @@
#!/bin/bash #!/bin/bash
xfconf-query -c xsettings -p /Net/ThemeName -s 'Arc-Dark'
xfconf-query -c xfwm4 -p /general/theme -s 'Default'
sudo mkdir /etc/gtk-3.0 sudo mkdir /etc/gtk-3.0
echo '[Settings] echo '[Settings]
gtk-theme-name=Arc-Dark gtk-theme-name=Arc-Dark
gtk-application-prefer-dark-theme=1 gtk-application-prefer-dark-theme=1
' | sudo tee /etc/gtk-3.0/settings.ini ' | sudo tee /etc/gtk-3.0/settings.ini
sudo mkdir /etc/gtk-4.0
echo '[Settings]
gtk-theme-name=Arc-Dark
gtk-application-prefer-dark-theme=1
' | sudo tee /etc/gtk-4.0/settings.ini
sudo qubes-dom0-update qubes-u2f-dom0 qubes-yubikey-dom0 qt5ct qt5-qtstyleplugins sudo qubes-dom0-update qubes-u2f-dom0 qubes-yubikey-dom0 qt5ct qt5-qtstyleplugins
qvm-service --enable personal qubes-u2f-proxy qvm-service --enable personal qubes-u2f-proxy
qvm-service --enable work qubes-u2f-proxy qvm-service --enable work qubes-u2f-proxy
echo "export export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment
#Obviously replace vault-gpg with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/ #Obviously replace vault-gpg with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/
echo "emails vault-gpg allow" | sudo tee /etc/qubes-rpc/policy/qubes.Gpg echo "emails vault-gpg allow" | sudo tee /etc/qubes-rpc/policy/qubes.Gpg

8
fedora-brave/brave.sh Normal file
View File

@ -0,0 +1,8 @@
#!/bin/bash
sudo dnf config-manager --add-repo https://brave-browser-rpm-release.s3.brave.com/x86_64/
curl --proxy http://127.0.0.1:8082 https://brave-browser-rpm-release.s3.brave.com/brave-core.asc > brave-core.asc
sudo rpm --import brave-core.asc
rm -rf brave-core.asc
echo "gpgcheck=1" | sudo tee /etc/yum.repos.d/brave-browser-rpm-release.s3.brave.com_x86_64_.repo
sudo dnf install brave-browser

View File

@ -2,12 +2,7 @@
sudo dnf remove firefox thunderbird totem gnome-remote-desktop gnome-calendar gnome-disk-utility gnome-calculators gnome-weather gnome-contacts gnome-clocks gnome-maps gnome-screenshot gnome-logs gnome-character gnome-font-viewer gnome-color-manager simple-scan keepassxc cheese baobab yelp evince* gedit httpd mozilla* -y sudo dnf remove firefox thunderbird totem gnome-remote-desktop gnome-calendar gnome-disk-utility gnome-calculators gnome-weather gnome-contacts gnome-clocks gnome-maps gnome-screenshot gnome-logs gnome-character gnome-font-viewer gnome-color-manager simple-scan keepassxc cheese baobab yelp evince* gedit httpd mozilla* -y
sudo dnf autoremove -y sudo dnf autoremove -y
sudo dnf config-manager --add-repo https://brave-browser-rpm-release.s3.brave.com/x86_64/ sudo dnf install qubes-u2f qubes-gpg-split arc-theme qt5ct qt5-qtstyleplugins ntfs-3g exfatprogs -y
curl --proxy http://127.0.0.1:8082 https://brave-browser-rpm-release.s3.brave.com/brave-core.asc > brave-core.asc
sudo rpm --import brave-core.asc
rm -rf brave-core.asc
echo "gpgcheck=1" | sudo tee /etc/yum.repos.d/brave-browser-rpm-release.s3.brave.com_x86_64_.repo
sudo dnf install brave-browser qubes-u2f qubes-gpg-split arc-theme qt5ct qt5-qtstyleplugins ntfs-3g exfatprogs -y
echo "countme=false" | sudo tee -a /etc/dnf/dnf.conf echo "countme=false" | sudo tee -a /etc/dnf/dnf.conf
git config --global http.proxy http://127.0.0.1:8082 git config --global http.proxy http://127.0.0.1:8082