I love using minimal templates. To be specific debian-12-minimal templates. And I love using whonix as part of my networking setup. So I wrote up a little script to prepare fresh debian-12-minimal templates and whonix-17 templates for different use cases (currently: BASIC, NETWORKING, VPN, APP, FLATPAK and WAYDROID; further explained in the menu when running the script).
I am not an IT expert - just an interested user of one of the most powerful and versatile linux projects out there. I am sure there are better ways to write up the code for this script. Feel free to test it and to give feedback. If you do not like my package selection you can very easily change it in the script. Please checkout my references to other community guides (highlighted when running the script)!
This script is written to be used with QubesOS R4.2. Run meta-installer.sh script as root in debian-12-minimal or whonix-17 template:
#main menu
function mainmenu {
echo -e "\e[32;1mWelcome to meta-installer. This script is meant to help you set up debian-12-minimal and whonix templates. Choose option to proceed:
\r 1) Basic debian-12-minimal install
\r 2) Basic whonix-17 setup (works for workstation and gateway)
\r 3) Advanced debian-12-minimal installs
\r 4) Exit"
read mainmenu_choice
echo
case $mainmenu_choice in
1)
##preparing basic template.
echo -e "\e[33;1mPreparing basic debian-12-minimal template install. The following steps will take place:
\r- APT will be configured to not install recommended and suggested packages
\r- Template will be onionized
\r- Template will be upgraded through tor
\r- A selection of packages will be installed
\r- Unwanted packages will be removed
\r- Automatic deletion of empty QubesIncoming folders will be set up
\r- Directory for placing self created bash commands will be created
\rPress Enter to continue or Strg+C to quit... \e[0m"
read
##configuring apt to not install recommended and suggested packages.
echo -e "\e[33;1mConfiguring APT to install without recommended/suggested packages. Press ENTER to continue or Strg+C to quit... \e[0m"
read
cat <<-EOF > /etc/apt/apt.conf
APT::Install-Recommends "0";
APT::Install-Suggests "0";
EOF
##updating template.
apt update
echo
##installing apt-transport-tor to onionize debian repositories in next step
echo -e "\e[33;1mInstalling the following packages:
\r\e[31;1mapt-transport-tor
\r\e[33;1mPress Enter to continue or Strg+C to quit... \e[0m"
read
apt install -y apt-transport-tor
echo
##oninizing debian repositories. change according to your preferences.
echo -e "\e[33;1mOnionizing template. Press ENTER to continue or Strg+C to quit... \e[0m"
read
cat <<-EOF > /etc/apt/sources.list.d/qubes-r4.list
# Main qubes updates repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm main
# Qubes updates candidates repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-testing main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm-testing main
# Qubes security updates testing repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-securitytesting main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm-securitytesting main
# Qubes experimental/unstable repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-unstable main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm-unstable main
# Qubes Tor updates repositories
# Main qubes updates repository
deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm main
# Qubes updates candidates repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-testing main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-testing main
# Qubes security updates testing repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-securitytesting main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-securitytesting main
# Qubes experimental/unstable repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-unstable main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-unstable main
EOF
cat <<-EOF > /etc/apt/sources.list
#deb https://deb.debian.org/debian bookworm main contrib non-free-firmware
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm main contrib non-free-firmware
#deb https://deb.debian.org/debian-security bookworm-security main contrib non-free-firmware
deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bookworm-security main contrib non-free-firmware
#deb https://deb.debian.org/debian bookworm-backports main contrib non-free-firmware
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-backports main contrib non-free-firmware
EOF
##updating template through onionized repositories repositories.
apt update
echo
##upgrading template#
echo -e "\e[33;1mUpgrading template. Press ENTER to continue or Strg+C to quit... \e[0m"
read
apt upgrade -y
echo
##installing basic packages. change according to your preferences.
echo -e "\e[33;1mInstalling the following packages:
\r\e[31;1mqubes-core-agent-networking qubes-core-agent-passwordless-root qubes-core-agent-thunar qubes-kernel-vm-support qubes-usb-proxy thunar xfce4-notifyd xfce4-terminal zenity
# \r\e[31;1mgrub2 linux-image-amd64 linux-headers-amd64 qubes-kernel-vm-support
\r\e[33;1mPress Enter to continue or Strg+C to quit... \e[0m"
read
apt install -y nautilus qubes-core-agent-nautilus qubes-core-agent-networking qubes-core-agent-passwordless-root qubes-core-agent-thunar qubes-usb-proxy thunar xfce4-notifyd xfce4-terminal zenity
#apt install -y grub2 linux-image-amd64 linux-headers-amd64 qubes-kernel-vm-support
echo
##remove unwanted packages. change according to your preferences.
echo -e "\e[33;1mRemoving the following packages:
\r\e[31;1mvim* xterm
\r\e[33;1mPress Enter to continue or Strg+C to quit... \e[0m"
read
apt remove -y vim* xterm
echo
##setting up automatic deletion of empty QubesIncoming folders.
echo -e "\e[33;1mConfiguring template to delete empty folders in QubesIncoming. Press ENTER to continue or Strg+C to quit... \e[0m"
read
cat <<-EOF > /root/delete_empty_incoming.sh
#!/bin/sh
test ! -d /home/user/QubesIncoming || find '/home/user/QubesIncoming/' -mindepth 1 -type d -exec rmdir '{}' \;
EOF
chmod +x /root/delete_empty_incoming.sh
cat <<-EOF > /etc/systemd/system/delete_empty_incoming.service
[Unit]
Description=Empty QubesIncoming
[Service]
ExecStart=/root/delete_empty_incoming.sh
[Install]
WantedBy=multi-user.target
EOF
systemctl enable delete_empty_incoming
systemctl start delete_empty_incoming
echo
##create directory /opt/bin to place self created bash commands
echo -e "\e[33;1mCreating /opt/bin for bash scripts. Press ENTER to continue or Strg+C to quit... \e[0m"
read
mkdir /opt/bin
echo 'export PATH="/opt/bin:$PATH"' >> /etc/profile.d/opt-bin.sh
##finishing BASIC TEMPLATE install.
echo -e "\e[32;1mDEBIAN-12-MINIMAL basic TEMPLATE install successful! Rename template (e.g. d12m). Press ENTER to continue or Strg+C to quit... \e[0m"
read
mainmenu
;;
2)
##preparing basic template.
echo -e "\e[33;1mBasic Whonix-17 setup (works for workstation and gateway). The following steps will take place:
\r- APT will be configured to not install recommended and suggested packages
\r- Template will be onionized
\r- Template will be upgraded through tor
\r- Automatic deletion of empty QubesIncoming folders will be set up
\rPress Enter to continue or Strg+C to quit... \e[0m"
read
##configuring apt to not install recommended and suggested packages.
echo -e "\e[33;1mConfiguring APT to install without recommended/suggested packages. Press ENTER to continue or Strg+C to quit... \e[0m"
read
cat <<-EOF > /etc/apt/apt.conf
APT::Install-Recommends "0";
APT::Install-Suggests "0";
EOF
##oninizing debian repositories. change according to your preferences.
echo -e "\e[33;1mOnionizing template. Press ENTER to continue or Strg+C to quit... \e[0m"
read
cat <<-EOF > /etc/apt/sources.list.d/qubes-r4.list
# Main qubes updates repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm main
# Qubes updates candidates repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-testing main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm-testing main
# Qubes security updates testing repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-securitytesting main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm-securitytesting main
# Qubes experimental/unstable repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-unstable main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm-unstable main
# Qubes Tor updates repositories
# Main qubes updates repository
deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm main
# Qubes updates candidates repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-testing main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-testing main
# Qubes security updates testing repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-securitytesting main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-securitytesting main
# Qubes experimental/unstable repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-unstable main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-unstable main
EOF
cat <<-EOF > /etc/apt/sources.list.d/debian.list
#deb tor+https://deb.debian.org/debian bullseye main contrib non-free
#deb tor+https://deb.debian.org/debian bullseye-updates main contrib non-free
#deb tor+https://deb.debian.org/debian-security bullseye-security main contrib non-free
#deb tor+https://deb.debian.org/debian bullseye-backports main contrib non-free
deb tor+https://fasttrack.debian.net/debian bullseye-fasttrack main contrib non-free
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-updates main contrib non-free
deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main contrib non-free
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free
## No onion for fasttrack yet:
## https://salsa.debian.org/fasttrack-team/support/-/issues/27
EOF
repository-dist --enable --transport onion
##updating template through onionized repositories.
apt update
echo
#upgrading template
echo -e "\e[33;1mUpgrading template. Press ENTER to continue or Strg+C to quit... \e[0m"
read
apt upgrade -y
echo
##setting up automatic deletion of empty QubesIncoming folders.
echo -e "\e[33;1mConfiguring template to delete empty folders in QubesIncoming. Press ENTER to continue or Strg+C to quit... \e[0m"
read
cat <<-EOF > /root/delete_empty_incoming.sh
#!/bin/sh
test ! -d /home/user/QubesIncoming || find '/home/user/QubesIncoming/' -mindepth 1 -type d -exec rmdir '{}' \;
EOF
chmod +x /root/delete_empty_incoming.sh
cat <<-EOF > /etc/systemd/system/delete_empty_incoming.service
[Unit]
Description=Empty QubesIncoming
[Service]
ExecStart=/root/delete_empty_incoming.sh
[Install]
WantedBy=multi-user.target
EOF
systemctl enable delete_empty_incoming
systemctl start delete_empty_incoming
echo
##finishing WHONIX setup.
echo -e "\e[32;1mBasic whonix-12 setup successful! For reference follow this link:
\r\e[35;5;1mhttps://www.whonix.org/
\rhttps://www.whonix.org/wiki/Onionizing_Repositories\e[0m
\r\e[32;1mPress ENTER to continue or Strg+C to quit... \e[0m"
read
mainmenu
;;
3)
submenu
;;
4)
echo -e "Exiting! \e[0m"
exit 0
;;
*)
echo -e "Wrong choice. Choose again! \e[0m"
mainmenu
;;
esac
}
##function for advanced TEMPLATE installs
function submenu {
echo -e "\e[36;1mYou have successfully installed your basic debian-12-minimal. Now choose an advanced debian-12-minimal install. You can combine the installs. Just rerun the script:
\r 1) NETWORKING TEMPLATE with (MAC and HOSTNAME spoofing)
\r 2) VPN TEMPLATE
\r 3) APP TEMPLATE
\r 4) FLATPAK TEMPLATE
\r 5) WAYDROID TEMPLATE
\r 6) Back to basic TEMPLATE install
\r 7) Exit"
read submenu_choice
echo
case $submenu_choice in
1)
echo -e "\e[33;1mPreparing NETWORKING TEMPLATE. The following will happen:
\r- Networking packages will be installed
\r- MAC will be spoofed
\r- Hostname will be spoofed
\rPress Enter to continue or Strg+C to quit... \e[0m"
read
apt update
echo
##installing networking packages. change according to your needs.
echo -e "\e[33;1mInstalling the following packages:
\r\e[31;1mdnsmasq-base firmware-iwlwifi firmware-misc-nonfree iftop qubes-core-agent-networking qubes-core-agent-network-manager ncat nmap tcpdump wireshark wpasupplicant
\r\e[33;1mPress Enter to continue or Strg+C to quit... \e[0m"
read
apt install -y dnsmasq-base firmware-iwlwifi firmware-misc-nonfree iftop qubes-core-agent-networking qubes-core-agent-network-manager ncat nmap tcpdump wireshark wpasupplicant
echo
##to fully disable ipv6 set template kernelopts to "ivp6.disable=1"
echo -e "\e[33;1mIf you want to disable ipv6 set kernelopts in dom0 (optional):
\r\e[35;5;1m$ qvm-prefs [vmname] kernelopts ipv6.disable=1\e[0m
\r\e[33;1mPress ENTER to continue or Strg+C to quit... \e[0m"
read
##spoof mac
echo -e "\e[33;1mSpoofing MAC. Press ENTER to continue or Strg+C to quit... \e[0m"
read
cat <<-EOF > /etc/NetworkManager/conf.d/00-macrandomize.conf
[device]
wifi.scan-rand-mac-address=yes
[connection]
wifi.cloned-mac-address=stable
ethernet.cloned-mac-address=stable
connection.stable-id=${CONNECTION}/${BOOT}
ipv6.dhcp-duid=stable-uuid
#use random IPv6 addresses per session / don't leak MAC via IPv6 (cf. RFC 4941):
ipv6.ip6-privacy=2
EOF
##spoof hostname
echo -e "\e[33;1mSpoofing hostname. Press ENTER to continue or Strg+C to quit... \e[0m"
read
cat <<-EOF > /etc/network/if-pre-up.d/00_hostname
#!/bin/bash
set -e -o pipefail
if [ -f "/rw/config/protected-files.d/protect_hostname.txt" ] && rand="$RANDOM" && mv "/etc/hosts.lock" "/etc/hosts.lock.$rand" ; then
name="PC-$rand"
echo "$name" > /etc/hostname
hostname "$name"
if [ -e /etc/debian_version ]; then
ipv4_localhost_re="127\.0\.1\.1"
else
ipv4_localhost_re="127\.0\.0\.1"
fi
sed -i "s/^\($ipv4_localhost_re\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
sed -i "s/^\(::1\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
fi
exit 0
EOF
chmod +x /etc/network/if-pre-up.d/00_hostname
touch /etc/hosts.lock
echo -e "\e[36;1mDEBIAN-12-MINIMAL NETWORKING TEMPLATE install successful! Rename template (e.g. d12m-net). Execute the following command in your NetVM to spoof hostname:
\r\e[35;5;1msudo bash -c 'mkdir -p /rw/config/protected-files.d/ && echo -e "/etc/hosts\n/etc/hostname" > /rw/config/protected-files.d/protect_hostname.txt' \e[0m
\r\e[36;1mPress ENTER to continue or Strg+C to quit..."
read
submenu
;;
2)
echo -e "\e[33;1mPreparing VPN TEMPLATE! The following will happen:
\r- Networking and WIREGUARD packages will be installed
\rPress Enter to continue or Strg+C to quit... \e[0m"
read
apt update
echo
##installing networking and vpn packages//no MAC and HOSTNAME spoofing!
echo -e "\e[33;1mInstalling the following packages:
\r\e[31;1miftop qubes-core-agent-networking qubes-core-agent-network-manager ncat nmap tcpdump wireguard wireguard-tools wireshark
\r\e[33;1mPress Enter to continue or Strg+C to quit... \e[0m"
read
apt install -y iftop qubes-core-agent-networking qubes-core-agent-network-manager ncat nmap tcpdump wireguard wireguard-tools wireshark
echo
echo -e "\e[36;1mDEBIAN-12-MINIMAL VPN TEMPLATE install successful! Rename template (e.g. d12m-vpn). For proper VPN setup follow this link:
\r\e[35;5;1mhttps://forum.qubes-os.org/t/wireguard-vpn-setup/19141 \e[0m
\r\e[36;1mPress ENTER to continue or Strg+C to quit... \e[0m"
read
submenu
;;
3)
echo -e "\e[33;1mPreparing APP TEMPLATE! The following will happen:
\r- Selection of app packages will be installed
\rPress Enter to continue or Strg+C to quit... \e[0m"
read
apt update
echo
##installing app selection. change according to your preference
echo -e "\e[33;1mInstalling the following packages:
\r\e[31;1mbasez curl eog ffmpegthumbnailer gimp gnome-disk-utility gnome-keyring gnome-screenshot gparted gpa gtkhash gvfs-backends iftop keepassxc kleopatra libblockdev-crypto2 libgdk-pixbuf2.0-bin metadata-cleaner mousepad openssh-client pcscd pciutils psmisc pipewire-qubes qubes-vm-recommended qtqr vlc sshfs system-config-printer tigervnc-viewer wget yubikey-personalization zbar-tools
\r\e[33;1mPress ENTER to continue or Strg+C to quit... \e[0m"
read
apt install -y basez curl eog ffmpegthumbnailer gimp gnome-disk-utility gnome-keyring gnome-screenshot gparted gpa gtkhash gvfs-backends iftop keepassxc kleopatra libblockdev-crypto2 libgdk-pixbuf2.0-bin metadata-cleaner mousepad openssh-client pcscd pciutils psmisc pipewire-qubes qubes-vm-recommended qtqr vlc sshfs system-config-printer tigervnc-viewer thunderbird wget yubikey-personalization zbar-tools
echo
echo -e "\e[36;1mDEBIAN-12-MINIMAL APP TEMPLATE install successful! Rename template (e.g. d12m-app). Press ENTER to continue or Strg+C to quit... \e[0m"
read
submenu
;;
4)
echo -e "\e[33;1mPreparing FLATPAK TEMPLATE! The following will happen:
\r- Nescessary packages will be installed
\r- Flathub repo will be added
\r- Command to proxy flatpak will be created
\r- Command to manually upgrade flatpaks will be created
\rPress Enter to continue or Strg+C to quit... \e[0m"
read
apt update
echo
##installing nescessary packages. change according to your preference
echo -e "\e[33;1mInstalling the following packages:
\r\e[31;1mflatpak gnome-software-plugin-flatpak
\r\e[33;1mPress ENTER to continue or Strg+C to quit... \e[0m"
read
apt install -y flatpak gnome-software-plugin-flatpak
echo
##adding flatpakrepo
echo -e "\e[33;1mAdding FLATUHUB repo! Press ENTER to continue or Strg+C to quit... \e[0m"
read
export all_proxy=http://127.0.0.1:8082/
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
##creating command to proxy flatpaks
echo -e "\e[33;1mCreating command to proxy flatpak commands in template:
\r\e[35;5;1mflatpak-proxy \e[0m
\r\e[33;1mPress ENTER to continue or Strg+C to quit... \e[0m"
read
cat <<- 'EOF' | tee /opt/bin/flatpak-proxy >/dev/null
#!/bin/sh
https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082
EOF
chmod +x /opt/bin/flatpak-proxy
echo
##creating command to manually update flatpaks
echo -e "\e[33;1mCreating command to update flatpaks in template:
\r\e[35;5;1mflatpak-update \e[0m
\r\e[33;1mPress ENTER to continue or Strg+C to quit... \e[0m"
read
cat <<- 'EOF' | tee /opt/bin/flatpak-update >/dev/null
#!/bin/sh
https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 flatpak update -y
EOF
chmod +x /opt/bin/flatpak-update
echo
echo -e "\e[36;1mDEBIAN-12-MINIMAL FLATPAK TEMPLATE install successful! Rename template (e.g. d12m-flatpak). For a more sophisticated setup check out the following link:
\r\e[35;5;1mhttps://forum.qubes-os.org/t/flatpak-integration-in-qubes-os-templates/20984
\r\e[35;5;1mhttps://dataswamp.org/~solene/2023-09-15-flatpak-on-qubesos.html \e[0m
\r\e[36;1mPress ENTER to continue or Strg+C to quit... \e[0m"
read
submenu
;;
5)
echo -e "\e[33;1mPreparing WAYDROID TEMPLATE! The script is based on a community guide:
\r\e[35;5;1mhttps://forum.qubes-os.org/t/waydroid-template/23356 \e[0m
\r\e[33;1mPlease check for reference. Press Enter to continue or Strg+C to quit... \e[0m"
read
#####
###run in dom0
#sudo qubes-dom0-update grub2-xen-pvh
#qvm-run -u root d12m-waydroid xterm &
###running script from:
#https://forum.qubes-os.org/t/waydroid-template/23356
##installinge waydroid
apt install -y sway qubes-core-agent-networking pulseaudio ca-certificates extrepo grub2 linux-image-amd64 linux-headers-amd64 qubes-kernel-vm-support
https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 extrepo enable waydroid
apt update
apt install -y waydroid pipewire-pulse
##configuring waydroid not to sart in container
mkdir -p /etc/systemd/system/waydroid-container.service.d
cat <<- 'EOF' | tee /etc/systemd/system/waydroid-container.service.d/override.conf >/dev/null
[Unit]
ConditionPathExists=!/run/qubes/this-is-templatevm
EOF
##initializing waydroid
https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 waydroid init
##installing waydroid clipboard support
apt install -y curl unzip
curl --proxy http://127.0.0.1:8082/ --tlsv1.2 --proto =https --max-time 180 https://codeload.github.com/cdown/clipnotify/zip/refs/heads/master -o clipnotify-master.zip
unzip -j clipnotify-master.zip -d clipnotify
cd clipnotify
##build and install clipnotify
apt install -y build-essential libx11-dev libxtst-dev
mkdir -p /opt/bin
sed -i "s|/usr/local|/opt|g" Makefile
make
make install
echo 'export PATH="/opt/bin:$PATH"' >> /etc/profile.d/opt-bin.sh
##install x11 and wayland clipboard cli tools
apt install -y xclip wl-clipboard
##configure sway to run script that will automatically transfer of clipboard content between X11 and Wayland on sway start
echo "exec /opt/bin/x11-wl-clip.sh" > /etc/sway/config.d/99-x11-wl-clip.conf
mkdir -p /opt/bin
cat <<- 'EOF' | tee /opt/bin/x11-wl-clip.sh >/dev/null
#!/bin/bash
x11_wl='while DISPLAY=":0" clipnotify -s clipboard; do xclip -d ":0" -selection clipboard -o | wl-copy; done'
wl_x11='wl-paste -nw xclip -d ":0" -selection clipboard'
eval "${x11_wl}" &>/dev/null &
eval "${wl_x11}" &>/dev/null
pstree -A -p $$ | grep -Eow "[0-9]+" | xargs kill &>/dev/null
EOF
chmod +x /opt/bin/x11-wl-clip.sh
##install pyclip
apt install -y xclip wl-clipboard pip python3-venv
python3 -m venv /opt/venv/pyclip
source /opt/venv/pyclip/bin/activate
pip install --proxy http://127.0.0.1:8082 pyclip
deactivate
echo 'export PATH="$PATH:/opt/venv/pyclip/bin"' >> /etc/profile.d/python-venv.sh
echo 'export PYTHONPATH="$PYTHONPATH:/opt/venv/pyclip/lib/python3.11/site-packages"' >> /etc/profile.d/python-venv.sh
##configure firewall
cat <<- 'EOF' | tee /etc/systemd/system/waydroid-firewall.service >/dev/null
[Unit]
ConditionPathExists=!/run/qubes/this-is-templatevm
PartOf=waydroid-container.service
After=waydroid-container.service
BindsTo=waydroid-container.service
Requires=qubes-iptables.service
After=qubes-iptables.service
BindsTo=qubes-iptables.service
[Service]
Type=oneshot
ExecStart=/usr/bin/bash -c "if (nft create chain ip qubes waydroid-input) &>/dev/null; then nft add rule ip qubes custom-input jump waydroid-input; fi"
ExecStart=/usr/bin/bash -c "if (nft create chain ip qubes waydroid-forward) &>/dev/null; then nft add rule ip qubes custom-forward jump waydroid-forward; fi"
ExecStart=/usr/sbin/nft add rule ip qubes waydroid-input iifname "waydroid0" meta l4proto {tcp, udp} th dport { 53, 67 } accept
ExecStart=/usr/sbin/nft add rule ip qubes waydroid-forward iifname "waydroid0" oifgroup 1 accept
ExecStart=/usr/sbin/nft add rule ip qubes waydroid-forward oifname "waydroid0" iifgroup 1 accept
ExecStop=/usr/sbin/nft flush chain ip qubes waydroid-input
ExecStop=/usr/sbin/nft flush chain ip qubes waydroid-forward
RemainAfterExit=yes
[Install]
WantedBy=waydroid-container.service
EOF
systemctl daemon-reload
systemctl enable waydroid-firewall.service
##disable window title bar
echo "default_border none" > /etc/sway/config.d/94-disable-window-titlebar.conf
perl -0777 -i -pe 's/(^\h*bar\s*|\v\h*bar\s*)(\{(?:(?>[^{}]+)|(?-1))*\})//g' /etc/sway/config
##create desktop file to start waydroid
apt install -y x11-utils
cat <<- 'EOF' | tee /opt/bin/sway-waydroid.sh >/dev/null
#!/bin/bash
sway &>/dev/null &
WAYLAND_DISPLAY="wayland-1" XDG_SESSION_TYPE="wayland" DISPLAY=":1" waydroid first-launch &>/dev/null &
for i in $(seq 1 3);
do
if xwininfo -name "wlroots - X11-1" &>/dev/null; then
break
fi
sleep 1
done
while xwininfo -name "wlroots - X11-1" &>/dev/null; do
sleep 2
done
WAYLAND_DISPLAY="wayland-1" XDG_SESSION_TYPE="wayland" DISPLAY=":1" waydroid session stop &>/dev/null
pstree -A -p $$ | grep -Eow "[0-9]+" | xargs kill &>/dev/null
EOF
chmod +x /opt/bin/sway-waydroid.sh
cat <<- 'EOF' | tee /usr/share/applications/Waydroid-Sway.desktop >/dev/null
[Desktop Entry]
Type=Application
Name=Waydroid-Sway
Exec=/opt/bin/sway-waydroid.sh
Icon=waydroid
Categories=X-WayDroid-App;
X-Purism-FormFactor=Workstation;Mobile;
EOF
##create script to install apk in waydroid
cat <<- 'EOF' | tee /opt/bin/waydroid-install-apk >/dev/null
#!/bin/sh
WAYLAND_DISPLAY="wayland-1" XDG_SESSION_TYPE="wayland" DISPLAY=":1" waydroid app install $1
EOF
chmod +x /opt/bin/waydroid-install-apk
##create script to upgrade waydroid
cat <<- 'EOF' | tee /opt/bin/waydroid-upgrade >/dev/null
#!/bin/sh
https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 waydroid upgrade
EOF
chmod +x /opt/bin/waydroid-upgrade
##create script to reinitialize waydroid after kernel switch
cat <<- 'EOF' | tee /opt/bin/waydroid-reinitialize >/dev/null
#!/bin/sh
https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 waydroid init -f
EOF
chmod +x /opt/bin/waydroid-reinitialize
##install file thunar manager
apt install -y thunar qubes-core-agent-thunar
##enable sound in r4.2
apt install -y pipewire-qubes
echo -e "\e[36;1mDEBIAN-12-MINIMAL WAYDROID TEMPLATE install successful! Rename template (e.g. d12m-waydroid). The following bash commands were created:
\r\e[35;5;1m'waydroid-install-apk' for installing apks in appvm running waydroid
\r'waydroid-upgrade' for manual upgrade of waydroid in template
\r'waydroid-reinitialize' for reinitializing waydroid after kernel switch \e[0m
\r\e[36;1mPress ENTER to continue or Strg+C to quit... \e[0m"
read
submenu
;;
6)
echo -e "Back to BASIC TEMPLATE install! \e[0m"
mainmenu
;;
7)
echo -e "Exiting! \e[0m"
exit 0
;;
*)
echo -e "Wrong choice. Choose again! \e[0m"
submenu
;;
esac
}
#start script
mainmenu