This commit is contained in:
Tommy 2022-05-28 07:24:27 -04:00 committed by GitHub
parent 1fbe8d8431
commit aba433f6ec
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
18 changed files with 30 additions and 57 deletions

View File

@ -1,17 +1,12 @@
# QubesOS-Scripts # QubesOS-Scripts
My scripts for setting up QubesOS. My scripts for setting up QubesOS.
Running these scripts should be very straight forward. For the default Fedora template, run fedora.sh to trim it down first. For Debian templates, run kicksecure.sh to trim them down and convert them to KickSecure. Note that there are 2 different kicksecure.sh, one for the minimal template, and one for the normal one. Running these scripts should be very straight forward. For the default Fedora template, run fedora.sh to trim it down first. For the Debian template, run kicksecure.sh to trim them down and convert them to KickSecure.
After you are done running those scripts, any other script can be used in a different template based on those trimmed down templates to create their respective virtual machines. After you are done running those scripts, any other script can be used in a different template based on those trimmed down templates to create their respective virtual machines.
I have a script to create a Brave VM based on the normal KickSecure and Fedora templates. The idea behind this is that you would want to use a disposable Brave VM for web browsing most of the time, and have it seperated from your AppVM. If you try to visit a link inside of an AppVM without a browser, qubes will launch a browser inside of a disposable VM for you. Of course, for VMs where you want the browser to stay persistent, you can just base it on the Brave template instead. I have a script to create a Brave VM based on the normal Fedora template. The idea behind this is that you would want to use a disposable Brave VM for web browsing most of the time, and have it seperated from your AppVM. If you try to visit a link inside of an AppVM without a browser, qubes will launch a browser inside of a disposable VM for you. Of course, for VMs where you want the browser to stay persistent, you can just base it on the Brave template instead.
If you want to install Flatpak packages, install them inside of an AppVM as a **user Flatpak** and enable the update-user-flatpaks.service as a **user** systemd service for automatic updates. If you want to install Flatpak packages, install them inside of an AppVM as a **user Flatpak** and enable the update-user-flatpaks.service as a **user** systemd service for automatic updates.
It is recommended that you follow the docs [here](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) to make a prompt for root access on non-minimal VMs. dom0.sh already takes care dom dom0 so you only need to worry about the guests. It is recommended that you follow the docs [here](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) to make a prompt for root access on non-minimal VMs. dom0.sh already takes care dom dom0 so you only need to worry about the guests.
# Notes
1. Kicksecure, while having more security mitigation, takes significantly longer than Fedora to launch and generally runs slower.
2. Currently, launching Flatpak apps from the appmenu does not work on KickSecure. I have not been able to find the culprit, so any help would be greatly appreciated.
3. My personal recommendation is use KickSecure for system VMs like sys-net and sys-usb. For normal apps, especially Flatpaks, just use Fedora instead. Of course, the exception to this rule would be when you can only get official binaries for Debian, like with Signal and Element for example.

View File

@ -17,7 +17,7 @@ qvm-service --enable work qubes-u2f-proxy
echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment
#Obviously replace vault-gpg with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/ #Obviously replace vault-gpg with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/
echo "emails vault-gpg allow" | sudo tee /etc/qubes-rpc/policy/qubes.Gpg echo "emails vault allow" | sudo tee /etc/qubes-rpc/policy/qubes.Gpg
echo "@anyvm @anyvm ask,default_target=vault-gpg" | sudo tee -a /etc/qubes-rpc/policy/qubes.Gpg echo "@anyvm @anyvm ask,default_target=vault-gpg" | sudo tee -a /etc/qubes-rpc/policy/qubes.Gpg
#Enabling VMAuth - if you want to get the prompt you will still need to configure the guest VMs tho #Enabling VMAuth - if you want to get the prompt you will still need to configure the guest VMs tho

View File

@ -0,0 +1,3 @@
#!/bin/bash
sudo dnf install -y qubes-core-agent-networking qubes-core-agent-dom0-updates

View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
sudo apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-network-manager wireless-tools notification-daemon gnome-keyring firmware-iwlwifi arc-theme -y sudo dnf install -y qubes-core-agent-networking qubes-core-agent-network-manager NetworkManager-wifi network-manager-applet wireless-tools notification-daemon gnome-keyring @hardware-support arc-theme
sudo mkdir -p /etc/gtk-3.0 sudo mkdir -p /etc/gtk-3.0
echo '[Settings] echo '[Settings]

View File

@ -0,0 +1,3 @@
#!/bin/bash
sudo dnf install -y qubes-usb-proxy qubes-input-proxy-sender qubes-u2f ykpers

4
fedora/bitwarden.sh Normal file
View File

@ -0,0 +1,4 @@
#!/bin/bash
sudo dnf install -y snapd qubes-snapd-helper
sudo snap install bitwarden

View File

@ -4,4 +4,4 @@ sudo dnf install thunderbird -y
#Do this in the AppVM after you have set it up #Do this in the AppVM after you have set it up
#Obviously replace vault-gpg with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/ #Obviously replace vault-gpg with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/
#echo "vault-gpg" | sudo tee /rw/config/gpg-split-domain #echo "vault" | sudo tee /rw/config/gpg-split-domain

View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
sudo dnf remove firefox thunderbird totem gnome-remote-desktop gnome-calendar gnome-disk-utility gnome-calculators gnome-weather gnome-contacts gnome-clocks gnome-maps gnome-screenshot gnome-logs gnome-character gnome-font-viewer gnome-color-manager simple-scan keepassxc cheese baobab yelp evince* gedit httpd mozilla* cups -y sudo dnf remove firefox thunderbird totem gnome-remote-desktop gnome-calendar gnome-disk-utility gnome-calculator gnome-connections gnome-weather gnome-contacts gnome-clocks gnome-maps gnome-screenshot gnome-logs gnome-character gnome-font-viewer gnome-color-manager simple-scan keepassxc cheese baobab yelp evince* gedit httpd mozilla* cups -y
sudo dnf autoremove -y sudo dnf autoremove -y
sudo dnf install qubes-u2f qubes-gpg-split arc-theme qt5ct qt5-qtstyleplugins -y sudo dnf install qubes-u2f qubes-gpg-split arc-theme qt5ct qt5-qtstyleplugins -y
echo "countme=false" | sudo tee -a /etc/dnf/dnf.conf echo "countme=false" | sudo tee -a /etc/dnf/dnf.conf

View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
sudo apt install --no-install-recommends nextcloud-client sudo dnf install -y nextcloud-client
#Adding a DNS entry for my Nextcloud server here so I can add a Firewall rule locking the AppVM to only being able to connect to my server. #Adding a DNS entry for my Nextcloud server here so I can add a Firewall rule locking the AppVM to only being able to connect to my server.
echo "5.226.143.92 cloud.tommytran.io" | sudo tee -a /etc/hosts echo "5.226.143.92 cloud.tommytran.io" | sudo tee -a /etc/hosts

4
fedora/protonvpn.sh Normal file
View File

@ -0,0 +1,4 @@
#!/bin/bash
curl --proxy http://127.0.0.1:8082/ -O https://protonvpn.com/download/protonvpn-stable-release-1.0.1-1.noarch.rpm
sudo dnf install protonvpn -y

4
fedora/spotify,sh Normal file
View File

@ -0,0 +1,4 @@
#!/bin/bash
sudo dnf install -y snapd qubes-snapd-helper
sudo snap install spotify

View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
sudo apt install --no-install-recommends qubes-gpg-split arc-theme -y sudo apt install --no-install-recommends qubes-gpg-split yubikey-manager-qt yubioath nitrokey-app arc-theme -y
sudo mkdir -p /etc/gtk-3.0 sudo mkdir -p /etc/gtk-3.0
echo '[Settings] echo '[Settings]

View File

@ -1,3 +0,0 @@
#!/bin/bash
sudo apt install --no-install-recommends qubes-core-agent-networking iproute qubes-core-agent-dom0-updates -y

View File

@ -1,25 +0,0 @@
#!/bin/bash
#Adding KickSecure's signing key
sudo apt install --no-install-recommends curl -y
curl --proxy http://127.0.0.1:8082/ --tlsv1.3 --proto =https --max-time 180 --output ~/derivative.asc https://www.kicksecure.com/derivative.asc
sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
#Distribution morphing
sudo apt install --no-install-recommends kicksecure-qubes-cli -y
sudo mv /etc/apt/sources.list ~/
sudo touch /etc/apt/sources.list
#Enabling SUID Disabler and Permission Hardener
sudo systemctl enable --now permission-hardening
#Install LKRG
sudo apt install --no-install-recommends lkrg-dkms linux-headers-amd64 -y
#Enable hardened malloc
echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload
#Reduce kernel information leaks
#Will break a lot of applications. The apps I use on KickSecure work fine with it so I am enabling it.
sudo systemctl enable --now hide-hardware-info.service

View File

@ -1,3 +0,0 @@
#!/bin/bash
sudo apt install --no-install-recommends qubes-usb-proxy qubes-input-proxy-sender qubes-u2f yubikey-personalization -y

View File

@ -1,6 +0,0 @@
#!/bin/bash
sudo curl --proxy http://127.0.0.1:8082 -fsSLo /usr/share/keyrings/brave-browser-archive-keyring.gpg https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg arch=amd64] https://brave-browser-apt-release.s3.brave.com/ stable main"|sudo tee /etc/apt/sources.list.d/brave-browser-release.list
sudo apt update
sudo apt install --no-install-recommends brave-browser

View File

@ -1,6 +0,0 @@
#!/bin/bash
curl --proxy http://127.0.0.1:8082/ -O https://protonvpn.com/download/protonvpn-stable-release_1.0.1-1_all.deb
sudo apt install --no-install-recommends ./protonvpn-stable-release_1.0.1-1_all.deb -y
sudo apt update
sudo apt install --no-install-recommends protonvpn -y

3
kicksecure/vlc.sh Normal file
View File

@ -0,0 +1,3 @@
#!/bin/bash
sudo apt install --no-install-recommends vlc -y