Keep everything consistent with Linux-Setup-Scripts

Signed-off-by: Tommy <contact@tommytran.io>

fedora-minimal/fedora-minimal.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (C) 2023 Thien Tran
+# Copyright (C) 2022-2024 Thien Tran
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
@@ -14,15 +14,34 @@
 # License for the specific language governing permissions and limitations under
 # the License.
 
-# Blacklisting kernel modules
-curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
+# Compliance
+systemctl mask debug-shell.service
+systemctl mask kdump.service
 
-# Security kernel settings.
-curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf
-sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf
-curl --proxy http://127.00.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf
-curl --proxy http://127.00.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
+# Setting umask to 077
+umask 077
+sed -i 's/umask 022/umask 077/g' /etc/bashrc
+echo 'umask 077' | tee -a /etc/bashrc
 
-# Setup SSH client
-echo "GSSAPIAuthentication no" > /etc/ssh/ssh_config.d/10-custom.conf
-echo "VerifyHostKeyDNS yes" >> /etc/ssh/ssh_config.d/10-custom.conf
+# Disable timesyncd
+systemctl disable --now systemd-timesyncd
+systemctl mask systemd-timesyncd
+
+# Security kernel settings
+curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | tee /etc/modprobe.d/30_security-misc.conf
+chmod 644 /etc/modprobe.d/30_security-misc.conf
+sed -i 's/#install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf
+curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | tee /etc/sysctl.d/990-security-misc.conf
+chmod 644 /etc/sysctl.d/990-security-misc.conf
+sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf
+curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | tee /etc/sysctl.d/30_silent-kernel-printk.conf
+chmod 644 /etc/sysctl.d/30_silent-kernel-printk.conf
+curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
+chmod 644 /etc/sysctl.d/30_security-misc_kexec-disable.conf
+# Dracut doesn't seem to work - need to investigate
+# dracut -f
+sysctl -p
+
+# Harden SSH
+curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /etc/ssh/ssh_config.d/10-custom.conf
+chmod 644 /etc/ssh/ssh_config.d/10-custom.conf

fedora-minimal/sys-net.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (C) 2023 Thien Tran
+# Copyright (C) 2022-2024 Thien Tran
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
@@ -14,36 +14,29 @@
 # License for the specific language governing permissions and limitations under
 # the License.
 
+# Install necessary packages
 dnf install -y qubes-core-agent-networking qubes-core-agent-network-manager NetworkManager-wifi network-manager-applet notification-daemon gnome-keyring @hardware-support chrony arc-theme
 
-systemctl disable --now systemd-timesyncd
-rm -rf /etc/chrony.conf
-curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf
-systemctl enable --now chronyd
-
-# Switch DNSSEC to default / allow-downgrade, as there is no guaranteee that the DNS server obtained via DHCP supports DNSSEC.
-sed -i 's/DNSSEC=yes/#DNSSEC=false/g' /etc/systemd/resolved.conf
-systemctl restart systemd-resolved
+# Setup NTS
+sudo rm -rf /etc/chrony.conf
+curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | tee /etc/chrony.conf
+curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd | tee /etc/sysconfig/chronyd
 
 # Theming
-
 sudo mkdir -p /etc/gtk-3.0
-echo '[Settings]
-gtk-theme-name=Arc-Dark
-gtk-application-prefer-dark-theme=1
-' | sudo tee /etc/gtk-3.0/settings.ini
+curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-3.0/settings.ini | tee /etc/gtk-3.0/settings.ini
 
 sudo mkdir -p /etc/gtk-4.0
-echo '[Settings]
-gtk-theme-name=Arc-Dark
-gtk-application-prefer-dark-theme=1
-' | sudo tee /etc/gtk-4.0/settings.ini
+curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini | tee /etc/gtk-4.0/settings.ini
 
-echo '[device]
-wifi.scan-rand-mac-address=yes
+# Networking
+curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | tee /etc/NetworkManager/conf.d/00-macrandomize.conf
+curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | tee /etc/NetworkManager/conf.d/01-transient-hostname.conf
+sudo nmcli general reload conf
+sudo hostnamectl hostname 'localhost'
+sudo hostnamectl --transient hostname ''
 
-[connection]
-wifi.cloned-mac-address=random
-ethernet.cloned-mac-address=random
-connection.stable-id=${CONNECTION}/${BOOT}
-' | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf
+sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
+curl --proxy http://127.0.0.1:8082 https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
+sudo systemctl daemon-reload
+sudo systemctl restart NetworkManager

fedora/edge.sh

@@ -1,10 +1,28 @@
 #!/bin/bash
 
-curl --proxy http://127.0.0.1:8082 -O https://packages.microsoft.com/keys/microsoft.asc
-sudo rpm --import microsoft.asc
-rm microsoft.asc
-sudo dnf config-manager --add-repo https://packages.microsoft.com/yumrepos/edge
+# Copyright (C) 2022-2024 Thien Tran
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+echo '[microsoft-edge]
+name=microsoft-edge
+baseurl=https://packages.microsoft.com/yumrepos/edge/
+enabled=1
+gpgcheck=1
+gpgkey=https://packages.microsoft.com/keys/microsoft.asc' | sudo tee /etc/yum.repos.d/microsoft-edge.repo
+
 sudo dnf install -y microsoft-edge-stable
+
 sudo mkdir -p /etc/opt/edge/policies/managed/ /etc/opt/edge/policies/recommended/
 curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/managed.json | sudo tee /etc/opt/edge/policies/managed/managed.json
-curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/recommended.json | sudo tee /etc/opt/edge/policies/managed/recommended.json
+curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/recommended.json | sudo tee /etc/opt/edge/policies/managed/recommended.json

fedora/fedora-gnome.sh

@@ -0,0 +1,139 @@
+#!/bin/bash
+
+# Copyright (C) 2022-2024 Thien Tran
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+unpriv(){
+  sudo -u nobody "$@"
+}
+
+# Compliance
+sudo systemctl mask debug-shell.service
+sudo systemctl mask kdump.service
+
+# Setting umask to 077
+umask 077
+sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
+echo 'umask 077' | sudo tee -a /etc/bashrc
+
+# Make home directory private
+sudo chmod 700 /home/*
+
+# Harden SSH
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
+sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
+
+# Security kernel settings
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
+sudo chmod 644 /etc/modprobe.d/30_security-misc.conf
+sudo sed -i 's/#install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf
+sudo chmod 644 /etc/sysctl.d/990-security-misc.conf
+sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf
+sudo chmod 644 /etc/sysctl.d/30_silent-kernel-printk.conf
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
+sudo chmod 644 /etc/sysctl.d/30_security-misc_kexec-disable.conf
+# Dracut doesn't seem to work - need to investigate
+# dracut -f
+sudo sysctl -p
+
+# Disable coredump
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
+
+# Setup dconf
+umask 022
+mkdir -p /etc/dconf/db/local.d/locks
+
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/automount-disable | sudo tee /etc/dconf/db/local.d/locks/automount-disable
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/privacy | sudo tee /etc/dconf/db/local.d/locks/privacy
+
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/adw-gtk3-dark | sudo tee /etc/dconf/db/local.d/adw-gtk3-dark
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/automount-disable | sudo tee /etc/dconf/db/local.d/automount-disable
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/button-layout | sudo tee /etc/dconf/db/local.d/button-layout
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/prefer-dark | sudo tee /etc/dconf/db/local.d/prefer-dark
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/privacy | sudo tee /etc/dconf/db/local.d/privacy
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/touchpad | sudo tee /etc/dconf/db/local.d/touchpad
+
+sudo dconf update
+umask 077
+
+# Setup DNF
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
+sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
+
+# Remove unnecessary stuff from the Qubes template
+sudo dnf -y thunderbird httpd keepassxc rygel
+
+# Remove firefox packages
+sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem
+
+# Remove Network + hardware tools packages
+sudo dnf -y remove '*cups' nmap-ncat nfs-utils nmap-ncat openssh-server net-snmp-libs net-tools opensc traceroute rsync tcpdump teamd geolite2* mtr dmidecode sgpio
+
+#Remove support for some languages and spelling
+sudo dnf -y remove ibus-typing-booster '*speech*' '*zhuyin*' '*pinyin*' '*m17n*' '*hangul*' '*anthy*' words
+
+#Remove codec + image + printers
+sudo dnf -y remove openh264 ImageMagick* sane* simple-scan
+
+#Remove Active Directory + Sysadmin + reporting tools
+sudo dnf -y remove 'sssd*' realmd cyrus-sasl-gssapi quota* dos2unix kpartx sos samba-client gvfs-smb
+
+#Remove vm and virtual stuff
+sudo dnf -y remove 'podman*' '*libvirt*' 'open-vm*' qemu-guest-agent 'hyperv*' spice-vdagent virtualbox-guest-additions vino xorg-x11-drv-vmware xorg-x11-drv-amdgpu
+
+#Remove NetworkManager
+sudo dnf -y remove NetworkManager-pptp-gnome NetworkManager-ssh-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-vpnc-gnome ppp* ModemManager
+
+#Remove Gnome apps
+sudo dnf remove -y chrome-gnome-shell eog gnome-photos gnome-connections gnome-tour gnome-themes-extra gnome-screenshot gnome-remote-desktop gnome-font-viewer gnome-calculator gnome-calendar gnome-contacts \
+    gnome-maps gnome-weather gnome-logs gnome-boxes gnome-disk-utility gnome-clocks gnome-color-manager gnome-characters baobab totem \
+    gnome-shell-extension-background-logo gnome-shell-extension-apps-menu gnome-shell-extension-launch-new-instance gnome-shell-extension-places-menu gnome-shell-extension-window-list \
+    gnome-classic* gnome-user* gnome-text-editor loupe snapshot
+
+#Remove apps
+sudo dnf remove -y rhythmbox yelp evince libreoffice* cheese file-roller* mediawriter
+
+#Remove other packages
+ sudo dnf remove -y lvm2 rng-tools thermald '*perl*' yajl
+
+# Disable openh264 repo
+sudo dnf config-manager --set-disabled fedora-cisco-openh264
+
+# Update packages
+sudo dnf -y upgrade
+
+# Install custom packages
+sudo dnf install qubes-u2f qubes-gpg-split adw-gtk3-theme gnome-console -y
+
+# Flatpak update service
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.service | sudo tee /etc/systemd/user/update-user-flatpaks.service
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer | sudo tee /etc/systemd/user/update-user-flatpaks.timer
+
+# Systemd hardening
+sudo mkdir -p /etc/systemd/system/ModemManager.service.d
+curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/divestedcg/Brace/master/brace/usr/lib/systemd/system/ModemManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/ModemManager.service.d/99-brace.conf
+
+# Setup networking
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | sudo tee /etc/NetworkManager/conf.d/01-transient-hostname.conf
+sudo nmcli general reload conf
+sudo hostnamectl hostname 'localhost'
+sudo hostnamectl --transient hostname ''
+
+sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
+unpriv curl --proxy http://127.0.0.1:8082 https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
+sudo systemctl daemon-reload
+sudo systemctl restart NetworkManager

fedora/fedora.sh

@@ -1,99 +0,0 @@
-#!/bin/bash
-
-# Remove unnecessary stuff from the Qubes template
-sudo dnf -y thunderbird httpd keepassxc rygel
-
-# Remove firefox packages
-sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem
-
-# Remove Network + hardware tools packages
-sudo dnf -y remove '*cups' nmap-ncat nfs-utils nmap-ncat openssh-server net-snmp-libs net-tools opensc traceroute rsync tcpdump teamd geolite2* mtr dmidecode sgpio
-
-# Remove support for some languages and spelling
-sudo dnf -y remove ibus-typing-booster '*speech*' '*zhuyin*' '*pinyin*' '*kkc*' '*m17n*' '*hangul*' '*anthy*' words
-
-# Remove codec + image + printers
-sudo dnf -y remove openh264 ImageMagick* sane* simple-scan
-
-# Remove Active Directory + Sysadmin + reporting tools
-sudo dnf -y remove 'sssd*' realmd adcli cyrus-sasl-plain cyrus-sasl-gssapi mlocate quota* dos2unix kpartx sos abrt samba-client gvfs-smb
-
-# Remove vm and virtual stuff
-sudo dnf -y remove 'podman*' '*libvirt*' 'open-vm*' qemu-guest-agent 'hyperv*' spice-vdagent virtualbox-guest-additions vino xorg-x11-drv-vmware xorg-x11-drv-amdgpu
-sudo dnf autoremove -y
-
-# Remove NetworkManager
-sudo dnf -y remove NetworkManager-pptp-gnome NetworkManager-ssh-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-vpnc-gnome ppp* ModemManager
-
-# Remove Gnome apps
-sudo dnf remove -y gnome-photos gnome-connections gnome-tour gnome-themes-extra gnome-screenshot gnome-remote-desktop gnome-font-viewer gnome-calculator gnome-calendar gnome-contacts \
-    gnome-maps gnome-weather gnome-logs gnome-boxes gnome-disk-utility gnome-clocks gnome-color-manager gnome-characters baobab totem \
-    gnome-shell-extension-background-logo gnome-shell-extension-apps-menu gnome-shell-extension-launch-new-instance gnome-shell-extension-places-menu gnome-shell-extension-window-list \
-    gnome-classic* gnome-user* gnome-text-editor chrome-gnome-shell eog
-
-# Remove apps
-sudo dnf remove -y rhythmbox yelp evince libreoffice* cheese file-roller* mediawriter
-
-# Remove other packages
- sudo dnf remove -y lvm2 rng-tools thermald '*perl*' yajl
-
-# Disable openh264 repo
-sudo dnf config-manager --set-disabled fedora-cisco-openh264
-
-# Install custom packages
-sudo dnf install qubes-u2f qubes-gpg-split arc-theme qt5ct qt5-qtstyleplugins -y
-echo "countme=False" | sudo tee -a /etc/dnf/dnf.conf
-
-# Blacklisting kernel modules
-curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
-sudo sed -i 's/#install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf
-
-# Security kernel settings.
-curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf
-sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf
-curl --proxy http://127.00.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf
-curl --proxy http://127.00.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
-
-# Systemd hardening
-sudo mkdir -p /etc/systemd/system/ModemManager.service.d
-curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/divestedcg/Brace/master/brace/usr/lib/systemd/system/ModemManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/ModemManager.service.d/99-brace.conf
-
-# Setup SSH client
-echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
-echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
-
-# Force DNSSEC
-sudo sed -i 's/#DNSSEC=no/DNSSEC=yes/g' /etc/systemd/resolved.conf
-sudo systemctl restart systemd-resolved
-
-# Theming
-
-echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment
-
-echo "[org/gnome/desktop/interface]
-gtk-theme='Arc-Dark'
-
-[org/gnome/desktop/media-handling]
-automount=false
-automount-open=false" | sudo tee /etc/dconf/db/local.d/custom
-
-sudo dconf update
-
-# Flatpak update service
-
-echo "[Unit]
-Description=Update user Flatpaks
-
-[Service]
-Type=oneshot
-ExecStart=/usr/bin/flatpak --user update -y" | sudo tee /etc/systemd/user/update-user-flatpaks.service
-
-echo "[Unit]
-Description=Update user Flatpaks daily
-
-[Timer]
-OnCalendar=daily
-Persistent=true
-
-[Install]
-WantedBy=timers.target" | sudo tee /etc/systemd/user/update-user-flatpaks.timer

fedora/mullvad.sh

@@ -1,19 +1,23 @@
 #!/bin/bash
 
-sudo dnf install -y https://mullvad.net/media/app/MullvadVPN-2022.5_x86_64.rpm
+# Copyright (C) 2022-2024 Thien Tran
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+sudo dnf config-manager --add-repo https://repository.mullvad.net/rpm/stable/mullvad.repo
+sudo dnf install mullvad-vpn
 sudo systemctl enable mullvad-daemon
 
-echo "[org/gnome/desktop/interface]
-gtk-theme='Arc-Dark'
-
-[org/gnome/desktop/media-handling]
-automount=false
-automount-open=false" | sudo tee /etc/dconf/db/local.d/custom
-
-sudo dconf update
-
-sudo rm -rf /usr/share/icons/Arc
-
 sudo mkdir -p /etc/qubes-bind-dirs.d
 sudo tee /etc/qubes-bind-dirs.d/50_user.conf << EOF > /dev/null
 binds+=( '/etc/mullvad-vpn' )

fedora/sys-usb.sh

@@ -1,3 +1,17 @@
 #!/bin/bash
 
+# Copyright (C) 2022-2024 Thien Tran
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
 sudo dnf install -y gnome-disk-utility yubioath android-tools

whonix/whonix-gw.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (C) 2023 Thien Tran
+# Copyright (C) 2022-2024 Thien Tran
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
@@ -19,7 +19,7 @@ unpriv(){
 }
 
 # Avoid phased updates
-unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
 sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
 
 # Install packages
@@ -35,14 +35,11 @@ sudo systemctl enable --now proc-hidepid.service
 # Will break a lot of applications. The apps I use on Whonix work fine with it so I am enabling it.
 sudo systemctl enable --now hide-hardware-info.service
 
-echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment
+# Theming
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/environment | sudo tee /etc/environment
 
 sudo mkdir -p /etc/gtk-3.0
-echo "[Settings]
-gtk-theme-name=Arc-Dark
-gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-3.0/settings.ini
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-3.0/settings.ini | sudo tee /etc/gtk-3.0/settings.ini
 
 sudo mkdir -p /etc/gtk-4.0
-echo "[Settings]
-gtk-theme-name=Arc-Dark
-gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-4.0/settings.ini
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini | sudo tee /etc/gtk-4.0/settings.ini

whonix/whonix-ws.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (C) 2023 Thien Tran
+# Copyright (C) 2022-2024 Thien Tran
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
@@ -19,7 +19,7 @@ unpriv(){
 }
 
 # Avoid phased updates
-unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
 sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
 
 # Install packages
@@ -36,15 +36,10 @@ sudo systemctl enable --now proc-hidepid.service
 sudo systemctl enable --now hide-hardware-info.service
 
 # Theming
-
-echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/environment | sudo tee /etc/environment
 
 sudo mkdir -p /etc/gtk-3.0
-echo "[Settings]
-gtk-theme-name=Arc-Dark
-gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-3.0/settings.ini
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-3.0/settings.ini | sudo tee /etc/gtk-3.0/settings.ini
 
 sudo mkdir -p /etc/gtk-4.0
-echo "[Settings]
-gtk-theme-name=Arc-Dark
-gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-4.0/settings.ini
+unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini | sudo tee /etc/gtk-4.0/settings.ini