Disable hmalloc in Edge VMs

Add xdg-desktop-portal-gtk
Update Trivalent repo
2025-04-30 15:36:26 +02:00 · 2025-04-30 15:33:12 +02:00 · 2025-04-30 15:31:43 +02:00 · 2025-04-30 15:30:21 +02:00 · 2025-03-07 19:38:50 +01:00 · 2025-03-07 19:35:50 +01:00
20 changed files with 131 additions and 61 deletions
--- a/Life.md
+++ b/Life.md
@@ -37,6 +37,12 @@ Lenovo ePrivacy can be controlled through `/proc/acpi/ibm/lcdshadow`. I use the
 - F5: `sudo bash -c 'echo 1 > /proc/acpi/ibm/lcdshadow'`
 - F6: `sudo bash -c 'echo 0 > /proc/acpi/ibm/lcdshadow'`

+### Firefox based browsers
+
+Currently Firefox based browsers [will break](https://github.com/QubesOS/qubes-issues/issues/8612#issuecomment-1764832181) when you try to open a YouTube video in fullscreen if their window is maximized. To workaround this, set `full-screen-api.ignore-widgets` in `about:config` to true. 
+
+I have no idea if this will make you more fingerprintable or not.
+
 ### Bitwarden & Element Flatpak

 These apps require the keyring to be created first to work properly. Simply open a browser like Microsoft Edge and set an empty password for the keyring before using them.
--- a/debian-gnome/debian-gnome.sh
+++ b/debian-gnome/debian-gnome.sh
@@ -1,6 +1,6 @@
 #!/bin/sh

-# Copyright (C) 2022-2024 Lukas Raub
+# Copyright (C) 2022-2025 Lukas Raub
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
@@ -39,22 +39,22 @@ echo 'umask 077' | sudo tee -a /etc/bash.bashrc
 sudo chmod 700 /home/*

 # Harden SSH
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf /etc/ssh/ssh_config.d/10-custom.conf
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/ssh/ssh_config.d/10-custom.conf /etc/ssh/ssh_config.d/10-custom.conf
 sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf

 # Disable coredump
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf /etc/security/limits.d/30-disable-coredump.conf
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/security/limits.d/30-disable-coredump.conf /etc/security/limits.d/30-disable-coredump.conf

 # Setup dconf
 umask 022
 sudo mkdir -p /etc/dconf/db/local.d/locks

-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/automount-disable /etc/dconf/db/local.d/locks/automount-disable
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/privacy /etc/dconf/db/local.d/locks/privacy
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/locks/automount-disable /etc/dconf/db/local.d/locks/automount-disable
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/locks/privacy /etc/dconf/db/local.d/locks/privacy

-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/automount-disable /etc/dconf/db/local.d/automount-disable
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/prefer-dark /etc/dconf/db/local.d/prefer-dark
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/privacy /etc/dconf/db/local.d/privacy
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/automount-disable /etc/dconf/db/local.d/automount-disable
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/prefer-dark /etc/dconf/db/local.d/prefer-dark
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/privacy /etc/dconf/db/local.d/privacy

 sudo dconf update
 umask 077
@@ -64,7 +64,7 @@ sudo mkdir -p /etc/xdg-desktop-portal
 download https://git.conorz.at/titanz/QubesOS-Scripts/raw/branch/development/etc/xdg-desktop-portal/portals.conf /etc/xdg-desktop-portal/portals.conf

 # Avoid phased updates
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades /etc/apt/apt.conf.d/99sane-upgrades
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/apt/apt.conf.d/99sane-upgrades /etc/apt/apt.conf.d/99sane-upgrades
 sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades


--- a/debian-gnome/element.sh
+++ b/debian-gnome/element.sh
@@ -1,6 +1,6 @@
 #!/bin/sh

-# Copyright (C) 2022-2024 Lukas Raub
+# Copyright (C) 2022-2025 Lukas Raub
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
@@ -25,7 +25,7 @@ download() {
 }

 download https://packages.element.io/debian/element-io-archive-keyring.gpg /usr/share/keyrings/element-io-archive-keyring.gpg
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/refs/heads/main/etc/apt/sources.list.d/element-io.sources /etc/apt/sources.list.d/element-io.sources
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/apt/sources.list.d/element-io.sources /etc/apt/sources.list.d/element-io.sources

 sudo apt update
 sudo apt install -y element-desktop
--- a/debian-gnome/sys-usb.sh
+++ b/debian-gnome/sys-usb.sh
@@ -1,6 +1,6 @@
 #!/bin/sh

-# Copyright (C) 2022-2024 Lukas Raub
+# Copyright (C) 2022-2025 Lukas Raub
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
@@ -26,6 +26,6 @@ download() {

 curl -s --proxy http://127.0.0.1:8082 -L https://github.com/trustcrypto/OnlyKey-App/releases/download/v5.5.0/OnlyKey_5.5.0_amd64.deb -O

-sudo apt install gnome-disk-utility ./OnlyKey_5.5.0_amd64.deb
+sudo apt install gnome-disk-utility qubes-video-companion ./OnlyKey_5.5.0_amd64.deb

 sudo systemctl disable --now hide-hardware-info.service
--- a/dom0.sh
+++ b/dom0.sh
@@ -1,6 +1,6 @@
 #!/bin/bash

-# Copyright (C) 2023-2024 Lukas Raub
+# Copyright (C) 2023-2025 Lukas Raub
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
@@ -20,7 +20,7 @@ set -eu -o pipefail
 sudo sed -i 's/issue_discards = 0/issue_discards = 1/' /etc/lvm/lvm.conf
 sudo systemctl enable --now fstrim.timer

-sudo qubes-dom0-update anti-evil-maid qubes-ctap-dom0 qt5-qtstyleplugins
+sudo qubes-dom0-update anti-evil-maid qubes-ctap-dom0 qubes-video-companion-dom0 qt5-qtstyleplugins

 # Configure PCRs
 sudo sed -i 's/ --pcr 19//' /etc/anti-evil-maid.conf
--- a/fedora-gnome/development.sh
+++ b/fedora-gnome/development.sh
@@ -0,0 +1,57 @@
+#!/bin/sh
+
+# Copyright (C) 2022-2025 Thien Tran
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+# Base this on the microsoft-edge TemplateVM
+
+set -eu -o pipefail
+
+unpriv(){
+  sudo -u nobody "${@}"
+}
+
+download() {
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+}
+
+echo '[code]
+name=Visual Studio Code
+baseurl=https://packages.microsoft.com/yumrepos/vscode/
+enabled=1
+gpgcheck=1
+gpgkey=https://packages.microsoft.com/keys/microsoft.asc' | sudo tee /etc/yum.repos.d/vscode.repo
+
+echo '[shiftkey-packages]
+name=GitHub Desktop
+baseurl=https://rpm.packages.shiftkey.dev/rpm/
+enabled=1
+gpgcheck=1
+repo_gpgcheck=1
+gpgkey=https://rpm.packages.shiftkey.dev/gpg.key' | sudo tee /etc/yum.repos.d/shiftkey-packages.repo
+
+sudo dnf config-manager addrepo --from-repofile=https://download.docker.com/linux/fedora/docker-ce.repo
+
+sudo dnf install -y butane code docker-ce docker-buildx-plugin docker-compose-plugin git github-desktop
+
+sudo systemctl enable --now docker
+sudo usermod -aG docker user
+
+# Change the GPG Domain name appropriately
+echo 'QUBES_GPG_DOMAIN=sys-gpg' | sudo tee -a /etc/environment
+
+umask 022
+
+sudo mkdir -p /etc/qubes-bind-dirs.d
+echo 'binds+=( '\'''/var/lib/docker''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf 
--- a/fedora-gnome/ente.sh
+++ b/fedora-gnome/ente.sh
@@ -1,6 +1,6 @@
 #!/bin/sh

-# Copyright (C) 2022-2024 Lukas Raub
+# Copyright (C) 2022-2025 Lukas Raub
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
--- a/fedora-gnome/fedora-gnome.sh
+++ b/fedora-gnome/fedora-gnome.sh
@@ -1,6 +1,6 @@
 #!/bin/sh

-# Copyright (C) 2022-2024 Lukas Raub
+# Copyright (C) 2022-2025 Lukas Raub
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
@@ -37,30 +37,30 @@ sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
 sudo chmod 700 /home/*

 # Harden SSH
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf /etc/ssh/ssh_config.d/10-custom.conf
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/ssh/ssh_config.d/10-custom.conf /etc/ssh/ssh_config.d/10-custom.conf

 # Security kernel settings
 download https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/etc/modprobe.d/blacklist.conf /etc/modprobe.d/workstation-blacklist.conf
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-workstation.conf /etc/sysctl.d/99-workstation.conf
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/sysctl.d/99-workstation.conf /etc/sysctl.d/99-workstation.conf
 # Dracut doesn't seem to work - need to investigate
 # dracut -f
 sudo sysctl -p

 # Disable coredump
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf /etc/security/limits.d/30-disable-coredump.conf
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/security/limits.d/30-disable-coredump.conf /etc/security/limits.d/30-disable-coredump.conf
 sudo mkdir -p /etc/systemd/coredump.conf.d
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf /etc/systemd/coredump.conf.d/disable.conf
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/systemd/coredump.conf.d/disable.conf /etc/systemd/coredump.conf.d/disable.conf

 # Setup dconf
 sudo mkdir -p /etc/dconf/db/local.d/locks

-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/automount-disable /etc/dconf/db/local.d/locks/automount-disable
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/privacy /etc/dconf/db/local.d/locks/privacy
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/locks/automount-disable /etc/dconf/db/local.d/locks/automount-disable
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/locks/privacy /etc/dconf/db/local.d/locks/privacy

-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/adw-gtk3-dark /etc/dconf/db/local.d/adw-gtk3-dark
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/automount-disable /etc/dconf/db/local.d/automount-disable
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/prefer-dark /etc/dconf/db/local.d/prefer-dark
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/privacy /etc/dconf/db/local.d/privacy
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/adw-gtk3-dark /etc/dconf/db/local.d/adw-gtk3-dark
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/automount-disable /etc/dconf/db/local.d/automount-disable
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/prefer-dark /etc/dconf/db/local.d/prefer-dark
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/privacy /etc/dconf/db/local.d/privacy

 sudo dconf update

@@ -69,7 +69,7 @@ sudo mkdir -p /etc/xdg-desktop-portal
 download https://git.conorz.at/titanz/QubesOS-Scripts/raw/branch/development/etc/xdg-desktop-portal/portals.conf /etc/xdg-desktop-portal/portals.conf

 # Setup ZRAM
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/zram-generator.conf /etc/systemd/zram-generator.conf
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/systemd/zram-generator.conf /etc/systemd/zram-generator.conf

 # Flatpak update service
 download https://git.conorz.at/titanz/QubesOS-Scripts/raw/branch/development/etc/systemd/user/update-user-flatpaks.service /etc/systemd/user/update-user-flatpaks.service
@@ -84,7 +84,7 @@ sudo sed -i 's@ReadOnlyPaths=/etc/NetworkManager@#ReadOnlyPaths=/etc/NetworkMana
 sudo sed -i 's@ReadWritePaths=-/etc/NetworkManager/system-connections@#ReadWritePaths=-/etc/NetworkManager/system-connections@' /etc/systemd/system/NetworkManager.service.d/99-brace.conf

 # Disable GJS and WebkitGTK JIT
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/environment /etc/environment
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/environment /etc/environment

 # Fix GNOME environment variable
 echo '
@@ -133,11 +133,10 @@ sudo dnf remove -y abrt* cheese evince file-roller* libreoffice* mediawriter rhy
 sudo dnf remove -y lvm2 rng-tools thermald '*perl*'

 # Disable openh264 repo
-sudo dnf config-manager --set-disabled fedora-cisco-openh264
+sudo dnf config-manager setopt fedora-cisco-openh264.enabled=0

 # Install custom packages
-# gnome-shell is needed for theming to work
-sudo dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme flatpak ncurses
+sudo dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme flatpak ncurses xdg-desktop-portal-gtk

 # Setup hardened_malloc
 sudo https_proxy=127.0.0.1:8082 dnf copr enable secureblue/hardened_malloc -y
@@ -150,5 +149,5 @@ sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run
 flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so

 # Setup DNF
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf /etc/dnf/dnf.conf
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dnf/dnf.conf /etc/dnf/dnf.conf
 sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
--- a/fedora-gnome/ivpn.sh
+++ b/fedora-gnome/ivpn.sh
@@ -1,6 +1,6 @@
 #!/bin/sh

-# Copyright (C) 2022-2024 Lukas Raub
+# Copyright (C) 2022-2025 Lukas Raub
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
--- a/fedora-gnome/microsoft-edge.sh
+++ b/fedora-gnome/microsoft-edge.sh
@@ -1,6 +1,6 @@
 #!/bin/sh

-# Copyright (C) 2022-2024 Lukas Raub
+# Copyright (C) 2022-2025 Lukas Raub
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
@@ -34,11 +34,11 @@ enabled=1
 gpgcheck=1
 gpgkey=https://packages.microsoft.com/keys/microsoft.asc' | sudo tee /etc/yum.repos.d/microsoft-edge.repo

-sudo dnf install -y microsoft-edge-stable
+sudo dnf install -y microsoft-edge-stable qubes-video-companion

 sudo mkdir -p /etc/opt/edge/policies/managed/ /etc/opt/edge/policies/recommended/
-download https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/managed.json /etc/opt/edge/policies/managed/managed.json
-download https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/recommended.json /etc/opt/edge/policies/recommended/recommended.json
+download https://git.conorz.at/titanz/Microsoft-Edge-Policies/raw/branch/development/Linux/managed.json /etc/opt/edge/policies/managed/managed.json
+download https://git.conorz.at/titanz/Microsoft-Edge-Policies/raw/branch/development/Linux/recommended.json /etc/opt/edge/policies/recommended/recommended.json

 # Workaround for this problem: https://forum.qubes-os.org/t/upgraded-to-4-2-and-audio-no-longer-works/23130/60
 sudo dnf install -y pulseaudio-utils
@@ -57,6 +57,10 @@ WantedBy=default.target' | sudo tee /etc/systemd/user/pactl.service

 umask 077

+# Disable hardened_malloc (for now)
+# It causes Edge to crash at launch most of the time
+sudo rm /etc/ld.so.preload
+
 # Run `systemctl --user enable --now pactl.service` in your appVM.
 # For some uncomprehensible reason, manually enabling pipewire-pulse.service will not work for Edge audio.
 # Using preset doesn't actually work :/
--- a/fedora-gnome/mullvad-browser.sh
+++ b/fedora-gnome/mullvad-browser.sh
@@ -1,6 +1,6 @@
 #!/bin/sh

-# Copyright (C) 2024 Lukas Raub
+# Copyright (C) 2024-2025 Lukas Raub
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
@@ -28,9 +28,12 @@ sudo dnf config-manager addrepo --from-repofile=https://repository.mullvad.net/r
 sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1

 # Install the package
-sudo dnf install -y ffmpeg ffmpegthumbnailer mullvad-browser
+sudo dnf install -y ffmpeg ffmpegthumbnailer mullvad-browser yt-dlp
 sudo dnf update -y @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin

+# Install dependencies for other apps not listed here
+sudo dnf install -y python3-pip
+
 # Disable hardened_malloc (for now)
 # It causes Mullvad browser to randomly crash
 sudo rm /etc/ld.so.preload
--- a/fedora-gnome/mullvad.sh
+++ b/fedora-gnome/mullvad.sh
@@ -1,6 +1,6 @@
 #!/bin/sh

-# Copyright (C) 2022-2024 Lukas Raub
+# Copyright (C) 2022-2025 Lukas Raub
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
--- a/fedora-gnome/sys-usb.sh
+++ b/fedora-gnome/sys-usb.sh
@@ -1,6 +1,6 @@
 #!/bin/sh

-# Copyright (C) 2022-2024 Lukas Raub
+# Copyright (C) 2022-2025 Lukas Raub
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
--- a/fedora-gnome/thunderbird.sh
+++ b/fedora-gnome/thunderbird.sh
@@ -24,10 +24,11 @@ download() {
  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
 }

-sudo dnf install -y thunderbird
+sudo dnf install -y thunderbird libglvnd-opengl
+sudo dnf install -y https://proton.me/download/bridge/protonmail-bridge-3.16.0-1.x86_64.rpm

 # Change the GPG Domain name appropriately
-echo 'QUBES_GPG_DOMAIN=vault' | sudo tee -a /etc/environment
+echo 'QUBES_GPG_DOMAIN=sys-gpg' | sudo tee -a /etc/environment

 # Disable hardened_malloc (for now)
 sudo rm /etc/ld.so.preload
--- a/fedora-gnome/trivalent.sh
+++ b/fedora-gnome/trivalent.sh
@@ -1,6 +1,6 @@
 #!/bin/sh

-# Copyright (C) 2024 Lukas Raub
+# Copyright (C) 2024-2025 Lukas Raub
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
@@ -24,7 +24,7 @@ download() {
  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
 }

-sudo https_proxy=127.0.0.1:8082 dnf copr enable secureblue/trivalent -y
+sudo dnf config-manager addrepo --from-repofile=https://repo.secureblue.dev/secureblue.repo
 sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1
 sudo dnf install -y ffmpeg trivalent
 sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin
--- a/fedora-gnome/vault.sh
+++ b/fedora-gnome/vault.sh
@@ -1,6 +1,6 @@
 #!/bin/sh

-# Copyright (C) 2022-2024 Lukas Raub
+# Copyright (C) 2022-2025 Lukas Raub
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
@@ -24,10 +24,10 @@ download() {
  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
 }

-download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/qubes-rpc/qubes.SshAgent /etc/qubes-rpc/qubes.SshAgent
+download https://git.conorz.at/titanz/QubesOS-Scripts/raw/branch/development/etc/qubes-rpc/qubes.SshAgent /etc/qubes-rpc/qubes.SshAgent
 sudo chmod +x /etc/qubes-rpc/qubes.SshAgent

 # Not using openssh-askpass here, because of this bug:
 # https://github.com/QubesOS/qubes-issues/issues/9741

-sudo dnf install -y keepassxc
+sudo dnf install -y keepassxc okular pinentry-gnome3
--- a/fedora-minimal/fedora-minimal.sh
+++ b/fedora-minimal/fedora-minimal.sh
@@ -1,6 +1,6 @@
 #!/bin/sh

-# Copyright (C) 2022-2024 Lukas Raub
+# Copyright (C) 2022-2025 Lukas Raub
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
@@ -42,19 +42,19 @@ systemctl disable --now systemd-timesyncd
 systemctl mask systemd-timesyncd

 # Harden SSH
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf /etc/ssh/ssh_config.d/10-custom.conf
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/ssh/ssh_config.d/10-custom.conf /etc/ssh/ssh_config.d/10-custom.conf
 chmod 644 /etc/ssh/ssh_config.d/10-custom.conf

 # Security kernel settings
 download https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/usr/etc/modprobe.d/blacklist.conf /etc/modprobe.d/workstation-blacklist.conf
 sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-workstation.conf /etc/sysctl.d/99-workstation.conf
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/sysctl.d/99-workstation.conf /etc/sysctl.d/99-workstation.conf
 # Dracut doesn't seem to work - need to investigate
 # dracut -f
 # sudo sysctl -p

 # Setup ZRAM
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/zram-generator.conf /etc/systemd/zram-generator.conf
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/systemd/zram-generator.conf /etc/systemd/zram-generator.conf

 # Install necessary packages
 sudo dnf install -y qubes-core-agent-selinux
--- a/fedora-minimal/sys-net.sh
+++ b/fedora-minimal/sys-net.sh
@@ -1,6 +1,6 @@
 #!/bin/sh

-# Copyright (C) 2022-2024 Lukas Raub
+# Copyright (C) 2022-2025 Lukas Raub
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
@@ -30,7 +30,7 @@ sudo dnf install -y @hardware-support arc-theme chrony gnome-keyring fwupd-qubes
 # Setup NTS
 sudo rm -rf /etc/chrony.conf
 download https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf /etc/chrony.conf
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd /etc/sysconfig/chronyd
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/sysconfig/chronyd /etc/sysconfig/chronyd

 # Theming
 sudo mkdir -p /etc/gtk-3.0
@@ -40,8 +40,8 @@ sudo mkdir -p /etc/gtk-4.0
 download https://git.conorz.at/titanz/QubesOS-Scripts/raw/branch/development/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini

 # Networking
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf /etc/NetworkManager/conf.d/00-macrandomize.conf
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf /etc/NetworkManager/conf.d/01-transient-hostname.conf
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/NetworkManager/conf.d/00-macrandomize.conf /etc/NetworkManager/conf.d/00-macrandomize.conf
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/NetworkManager/conf.d/01-transient-hostname.conf /etc/NetworkManager/conf.d/01-transient-hostname.conf
 sudo hostnamectl hostname 'localhost'
 sudo hostnamectl --transient hostname ''

--- a/whonix/whonix-gateway.sh
+++ b/whonix/whonix-gateway.sh
@@ -1,6 +1,6 @@
 #!/bin/sh

-# Copyright (C) 2022-2024 Lukas Raub
+# Copyright (C) 2022-2025 Lukas Raub
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
@@ -35,7 +35,7 @@ echo 'umask 077' | sudo tee -a /etc/bash.bashrc
 sudo chmod 700 /home/*

 # Avoid phased updates
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades /etc/apt/apt.conf.d/99sane-upgrades > /dev/null
+download https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/apt/apt.conf.d/99sane-upgrades /etc/apt/apt.conf.d/99sane-upgrades > /dev/null
 sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades

 # Install packages
--- a/whonix/whonix-workstation.sh
+++ b/whonix/whonix-workstation.sh
@@ -1,6 +1,6 @@
 #!/bin/sh

-# Copyright (C) 2022-2024 Thien Tran
+# Copyright (C) 2022-2025 Lukas Raub
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of
@@ -59,4 +59,4 @@ sudo mkdir -p /etc/gtk-3.0
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-3.0/settings.ini /etc/gtk-3.0/settings.ini

 sudo mkdir -p /etc/gtk-4.0
-download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini
+download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini
Author	SHA1	Message	Date
titanz	df7e691648	Disable hmalloc in Edge VMs All checks were successful ShellCheck / Shell syntax checker (push) Successful in 11s Details	2025-04-30 15:36:26 +02:00
titanz	6c44faa2ff	Add xdg-desktop-portal-gtk	2025-04-30 15:33:12 +02:00
titanz	158697340e	Update Trivalent repo	2025-04-30 15:31:43 +02:00
titanz	8896b96831	Update config-manager disable command	2025-04-30 15:30:21 +02:00
titanz	2ee5a1673f	Add Firefox workaround All checks were successful ShellCheck / Shell syntax checker (push) Successful in 15s Details	2025-03-07 19:38:50 +01:00
titanz	67c6573f29	Install okular	2025-03-07 19:35:50 +01:00
titanz	95c2bba24e	Implement qubes-video-companion All checks were successful ShellCheck / Shell syntax checker (push) Successful in 11s Details	2025-02-14 08:39:41 +01:00
titanz	183db7923e	Add docker-buildx-plugin All checks were successful ShellCheck / Shell syntax checker (push) Successful in 11s Details	2025-02-12 07:35:37 +01:00
titanz	72ca6ddab3	Add /var/lieb/docker binding and move development.sh to the correct path All checks were successful ShellCheck / Shell syntax checker (push) Successful in 10s Details	2025-02-10 10:39:19 +01:00
titanz	fe824b08ca	Add pinentry-gnome3 All checks were successful ShellCheck / Shell syntax checker (push) Successful in 10s Details	2025-02-10 10:35:36 +01:00
titanz	442bf90d9b	Enable docker & add packages All checks were successful ShellCheck / Shell syntax checker (push) Successful in 10s Details	2025-02-10 10:33:44 +01:00
titanz	f5bb8fefcb	Add user to docker group All checks were successful ShellCheck / Shell syntax checker (push) Successful in 10s Details	2025-02-10 10:31:32 +01:00
titanz	d351388ee7	Add development.sh All checks were successful ShellCheck / Shell syntax checker (push) Successful in 11s Details	2025-02-10 10:29:12 +01:00
titanz	78485bc6c2	switch to my repos Some checks failed ShellCheck / Shell syntax checker (push) Failing after 1s Details	2025-02-07 10:31:51 +01:00
titanz	c50a23c863	update license year	2025-02-07 10:04:00 +01:00
titanz	e16c124cc4	add libglvnd-opengl to thunderbird All checks were successful ShellCheck / Shell syntax checker (push) Successful in 11s Details	2025-02-05 16:58:39 +01:00
titanz	3f844ad9d9	add protonmail-bridge to thunderbird All checks were successful ShellCheck / Shell syntax checker (push) Successful in 13s Details	2025-02-05 16:35:57 +01:00
titanz	a3bf0f61ec	add python3-pip to mullvad-browser All checks were successful ShellCheck / Shell syntax checker (push) Successful in 13s Details	2025-02-05 16:15:45 +01:00
titanz	b29892f8f8	adding yt-dlp	2025-02-05 16:14:02 +01:00