Setting up debian-12-minimal and whonix-17 templates

I love using minimal templates. To be specific debian-12-minimal templates. And I love using whonix as part of my networking setup. So I wrote up a little script to prepare fresh debian-12-minimal templates and whonix-17 templates for different use cases (currently: BASIC, NETWORKING, VPN, APP, FLATPAK and WAYDROID; further explained in the menu when running the script).

I am not an IT expert - just an interested user of one of the most powerful and versatile linux projects out there. I am sure there are better ways to write up the code for this script. Feel free to test it and to give feedback. If you do not like my package selection you can very easily change it in the script. Please checkout my references to other community guides (highlighted when running the script)!

This script is written to be used with QubesOS R4.2. Run meta-installer.sh script as root in debian-12-minimal or whonix-17 template:

#main menu
function mainmenu {
		echo -e "\e[32;1mWelcome to meta-installer. This script is meant to help you set up debian-12-minimal and whonix templates. Choose option to proceed:
		 	\r 1) Basic debian-12-minimal install
			\r 2) Basic whonix-17 setup (works for workstation and gateway)
			\r 3) Advanced debian-12-minimal installs
			\r 4) Exit"
		read mainmenu_choice
		echo

		case $mainmenu_choice in
			1)
			##preparing basic template.
				echo -e "\e[33;1mPreparing basic debian-12-minimal template install. The following steps will take place:
					\r- APT will be configured to not install recommended and suggested packages
					\r- Template will be onionized
					\r- Template will be upgraded through tor
					\r- A selection of packages will be installed
					\r- Unwanted packages will be removed
					\r- Automatic deletion of empty QubesIncoming folders will be set up
					\r- Directory for placing self created bash commands will be created
					\rPress Enter to continue or Strg+C to quit... \e[0m"
				read
			##configuring apt to not install recommended and suggested packages.
				echo -e "\e[33;1mConfiguring APT to install without recommended/suggested packages. Press ENTER to continue or Strg+C to quit... \e[0m"
				read
				cat <<-EOF > /etc/apt/apt.conf
					APT::Install-Recommends "0";
					APT::Install-Suggests "0";
				EOF
			##updating template.
				apt update
				echo
			##installing apt-transport-tor to onionize debian repositories in next step 
				echo -e "\e[33;1mInstalling the following packages:
					\r\e[31;1mapt-transport-tor
					\r\e[33;1mPress Enter to continue or Strg+C to quit... \e[0m"
				read
				apt install -y apt-transport-tor
				echo
			##oninizing debian repositories. change according to your preferences.
				echo -e "\e[33;1mOnionizing template. Press ENTER to continue or Strg+C to quit... \e[0m"
				read
				cat <<-EOF > /etc/apt/sources.list.d/qubes-r4.list
					# Main qubes updates repository
					#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm main
					#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm main
					# Qubes updates candidates repository
					#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-testing main
					#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ]  https://deb.qubes-os.org/r4.2/vm bookworm-testing main
					# Qubes security updates testing repository
					#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-securitytesting main
					#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm-securitytesting main
					# Qubes experimental/unstable repository
					#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-unstable main
					#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm-unstable main
					# Qubes Tor updates repositories
					# Main qubes updates repository
					deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm main
					#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm main
					# Qubes updates candidates repository
					#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-testing main
					#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-testing main
					# Qubes security updates testing repository
					#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-securitytesting main
					#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-securitytesting main
					# Qubes experimental/unstable repository
					#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-unstable main
					#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-unstable main
				EOF
				cat <<-EOF > /etc/apt/sources.list
					#deb https://deb.debian.org/debian bookworm main contrib non-free-firmware
					deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm main contrib non-free-firmware
					#deb https://deb.debian.org/debian-security bookworm-security main contrib non-free-firmware
					deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bookworm-security main contrib non-free-firmware
					#deb https://deb.debian.org/debian bookworm-backports main contrib non-free-firmware
					deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-backports main contrib non-free-firmware
				EOF
			##updating template through onionized repositories repositories.
				apt update
				echo
			##upgrading template#
				echo -e "\e[33;1mUpgrading template. Press ENTER to continue or Strg+C to quit... \e[0m"
				read
				apt upgrade -y
				echo
			##installing basic packages. change according to your preferences.
				echo -e "\e[33;1mInstalling the following packages:
					\r\e[31;1mqubes-core-agent-networking qubes-core-agent-passwordless-root qubes-core-agent-thunar qubes-kernel-vm-support qubes-usb-proxy thunar xfce4-notifyd xfce4-terminal zenity
				#	\r\e[31;1mgrub2 linux-image-amd64 linux-headers-amd64 qubes-kernel-vm-support
					\r\e[33;1mPress Enter to continue or Strg+C to quit... \e[0m"
				read
				apt install -y nautilus qubes-core-agent-nautilus qubes-core-agent-networking qubes-core-agent-passwordless-root qubes-core-agent-thunar qubes-usb-proxy thunar xfce4-notifyd xfce4-terminal zenity
				#apt install -y grub2 linux-image-amd64 linux-headers-amd64 qubes-kernel-vm-support
				echo
			##remove unwanted packages. change according to your preferences.
				echo -e "\e[33;1mRemoving the following packages:
					\r\e[31;1mvim* xterm
					\r\e[33;1mPress Enter to continue or Strg+C to quit... \e[0m"
				read
				apt remove -y vim* xterm
				echo
			##setting up automatic deletion of empty QubesIncoming folders.
				echo -e "\e[33;1mConfiguring template to delete empty folders in QubesIncoming. Press ENTER to continue or Strg+C to quit... \e[0m"
				read
				cat <<-EOF > /root/delete_empty_incoming.sh
					#!/bin/sh
					test ! -d /home/user/QubesIncoming || find '/home/user/QubesIncoming/' -mindepth 1 -type d -exec rmdir '{}' \;
				EOF
				chmod +x /root/delete_empty_incoming.sh
				cat <<-EOF > /etc/systemd/system/delete_empty_incoming.service
					[Unit]
					Description=Empty QubesIncoming
					[Service]
					ExecStart=/root/delete_empty_incoming.sh
					[Install]
					WantedBy=multi-user.target
				EOF
				systemctl enable delete_empty_incoming
				systemctl start delete_empty_incoming
				echo
			##create directory /opt/bin to place self created bash commands
				echo -e "\e[33;1mCreating /opt/bin for bash scripts. Press ENTER to continue or Strg+C to quit... \e[0m"
				read
				mkdir /opt/bin
				echo 'export PATH="/opt/bin:$PATH"' >> /etc/profile.d/opt-bin.sh
			##finishing BASIC TEMPLATE install.
				echo -e	"\e[32;1mDEBIAN-12-MINIMAL basic TEMPLATE install successful! Rename template (e.g. d12m). Press ENTER to continue or Strg+C to quit... \e[0m"				
				read
				mainmenu
				;;
			2)
			##preparing basic template.
				echo -e "\e[33;1mBasic Whonix-17 setup (works for workstation and gateway). The following steps will take place:
					\r- APT will be configured to not install recommended and suggested packages
					\r- Template will be onionized
					\r- Template will be upgraded through tor
					\r- Automatic deletion of empty QubesIncoming folders will be set up
					\rPress Enter to continue or Strg+C to quit... \e[0m"
				read
			##configuring apt to not install recommended and suggested packages.
				echo -e "\e[33;1mConfiguring APT to install without recommended/suggested packages. Press ENTER to continue or Strg+C to quit... \e[0m"
				read
				cat <<-EOF > /etc/apt/apt.conf
					APT::Install-Recommends "0";
					APT::Install-Suggests "0";
				EOF
			##oninizing debian repositories. change according to your preferences.
				echo -e "\e[33;1mOnionizing template. Press ENTER to continue or Strg+C to quit... \e[0m"
				read
				cat <<-EOF > /etc/apt/sources.list.d/qubes-r4.list
					# Main qubes updates repository
					#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm main
					#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm main
					# Qubes updates candidates repository
					#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-testing main
					#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ]  https://deb.qubes-os.org/r4.2/vm bookworm-testing main
					# Qubes security updates testing repository
					#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-securitytesting main
					#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm-securitytesting main
					# Qubes experimental/unstable repository
					#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-unstable main
					#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm-unstable main
					# Qubes Tor updates repositories
					# Main qubes updates repository
					deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm main
					#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm main
					# Qubes updates candidates repository
					#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-testing main
					#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-testing main
					# Qubes security updates testing repository
					#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-securitytesting main
					#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-securitytesting main
					# Qubes experimental/unstable repository
					#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-unstable main
					#deb-src  [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-unstable main
				EOF
				cat <<-EOF > /etc/apt/sources.list.d/debian.list
					#deb tor+https://deb.debian.org/debian bullseye main contrib non-free
					#deb tor+https://deb.debian.org/debian bullseye-updates main contrib non-free
					#deb tor+https://deb.debian.org/debian-security bullseye-security main contrib non-free
					#deb tor+https://deb.debian.org/debian bullseye-backports main contrib non-free
					deb tor+https://fasttrack.debian.net/debian bullseye-fasttrack main contrib non-free
					deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free
					deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-updates main contrib non-free
					deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main contrib non-free
					deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free
					## No onion for fasttrack yet:
					## https://salsa.debian.org/fasttrack-team/support/-/issues/27
				EOF
				repository-dist --enable --transport onion
			##updating template through onionized repositories.
				apt update
				echo
			#upgrading template
				echo -e "\e[33;1mUpgrading template. Press ENTER to continue or Strg+C to quit... \e[0m"
				read
				apt upgrade -y
				echo
			##setting up automatic deletion of empty QubesIncoming folders.
				echo -e "\e[33;1mConfiguring template to delete empty folders in QubesIncoming. Press ENTER to continue or Strg+C to quit... \e[0m"
				read
				cat <<-EOF > /root/delete_empty_incoming.sh
					#!/bin/sh
					test ! -d /home/user/QubesIncoming || find '/home/user/QubesIncoming/' -mindepth 1 -type d -exec rmdir '{}' \;
				EOF
				chmod +x /root/delete_empty_incoming.sh
				cat <<-EOF > /etc/systemd/system/delete_empty_incoming.service
					[Unit]
					Description=Empty QubesIncoming
					[Service]
					ExecStart=/root/delete_empty_incoming.sh
					[Install]
					WantedBy=multi-user.target
				EOF
				systemctl enable delete_empty_incoming
				systemctl start delete_empty_incoming
				echo
			##finishing WHONIX setup.
				echo -e	"\e[32;1mBasic whonix-12 setup successful! For reference follow this link:
					\r\e[35;5;1mhttps://www.whonix.org/
					\rhttps://www.whonix.org/wiki/Onionizing_Repositories\e[0m
					\r\e[32;1mPress ENTER to continue or Strg+C to quit... \e[0m"
				read
				mainmenu
				;;

			3)
				submenu
				;;
			4)
				echo -e "Exiting! \e[0m"
				exit 0
				;;
			*)
				echo -e "Wrong choice. Choose again! \e[0m"
				mainmenu
				;;
		esac
}

##function for advanced TEMPLATE installs
function submenu {
		echo -e "\e[36;1mYou have successfully installed your basic debian-12-minimal. Now choose an advanced debian-12-minimal install. You can combine the installs. Just rerun the script:
			\r 1) NETWORKING TEMPLATE with (MAC and HOSTNAME spoofing)
			\r 2) VPN TEMPLATE
			\r 3) APP TEMPLATE
			\r 4) FLATPAK TEMPLATE
			\r 5) WAYDROID TEMPLATE
			\r 6) Back to basic TEMPLATE install
			\r 7) Exit"
		read submenu_choice
		echo
		case $submenu_choice in
			1)
				echo -e "\e[33;1mPreparing NETWORKING TEMPLATE. The following will happen:
					\r- Networking packages will be installed
					\r- MAC will be spoofed
					\r- Hostname will be spoofed
					\rPress Enter to continue or Strg+C to quit... \e[0m"
				read
				apt update
				echo
			##installing networking packages. change according to your needs.
				echo -e "\e[33;1mInstalling the following packages:
					\r\e[31;1mdnsmasq-base firmware-iwlwifi firmware-misc-nonfree iftop qubes-core-agent-networking qubes-core-agent-network-manager ncat nmap tcpdump wireshark wpasupplicant
					\r\e[33;1mPress Enter to continue or Strg+C to quit... \e[0m"
				read
				apt install -y dnsmasq-base firmware-iwlwifi firmware-misc-nonfree iftop qubes-core-agent-networking qubes-core-agent-network-manager ncat nmap tcpdump wireshark wpasupplicant 
				echo
			##to fully disable ipv6 set template kernelopts to "ivp6.disable=1"
				echo -e "\e[33;1mIf you want to disable ipv6 set kernelopts in dom0 (optional):
					\r\e[35;5;1m$ qvm-prefs [vmname] kernelopts ipv6.disable=1\e[0m
					\r\e[33;1mPress ENTER to continue or Strg+C to quit... \e[0m"
				read
			##spoof mac
				echo -e "\e[33;1mSpoofing MAC. Press ENTER to continue or Strg+C to quit... \e[0m"
				read
				cat <<-EOF > /etc/NetworkManager/conf.d/00-macrandomize.conf
					[device]
					wifi.scan-rand-mac-address=yes
					[connection]
					wifi.cloned-mac-address=stable
					ethernet.cloned-mac-address=stable
					connection.stable-id=${CONNECTION}/${BOOT}
					ipv6.dhcp-duid=stable-uuid
					#use random IPv6 addresses per session / don't leak MAC via IPv6 (cf. RFC 4941):
					ipv6.ip6-privacy=2
				EOF
			##spoof hostname
				echo -e "\e[33;1mSpoofing hostname. Press ENTER to continue or Strg+C to quit... \e[0m"
				read
				cat <<-EOF > /etc/network/if-pre-up.d/00_hostname
					#!/bin/bash
					set -e -o pipefail
					if [ -f "/rw/config/protected-files.d/protect_hostname.txt" ] && rand="$RANDOM" && mv "/etc/hosts.lock" "/etc/hosts.lock.$rand" ; then
					name="PC-$rand"
					echo "$name" > /etc/hostname
					hostname "$name"
					if [ -e /etc/debian_version ]; then
					ipv4_localhost_re="127\.0\.1\.1"
					else
					ipv4_localhost_re="127\.0\.0\.1"
					fi
					sed -i "s/^\($ipv4_localhost_re\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
					sed -i "s/^\(::1\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
					fi
					exit 0
				EOF
				chmod +x /etc/network/if-pre-up.d/00_hostname
				touch /etc/hosts.lock
				echo -e "\e[36;1mDEBIAN-12-MINIMAL NETWORKING TEMPLATE install successful! Rename template (e.g. d12m-net). Execute the following command in your NetVM to spoof hostname:
					\r\e[35;5;1msudo bash -c 'mkdir -p /rw/config/protected-files.d/ && echo -e "/etc/hosts\n/etc/hostname" > /rw/config/protected-files.d/protect_hostname.txt' \e[0m
					\r\e[36;1mPress ENTER to continue or Strg+C to quit..."
				read
				submenu
				;;
			2)
				echo -e "\e[33;1mPreparing VPN TEMPLATE! The following will happen: 
					\r- Networking and WIREGUARD packages will be installed
					\rPress Enter to continue or Strg+C to quit... \e[0m"
				read
				apt update
				echo
			##installing networking and vpn packages//no MAC and HOSTNAME spoofing!
				echo -e "\e[33;1mInstalling the following packages:
					\r\e[31;1miftop qubes-core-agent-networking qubes-core-agent-network-manager ncat nmap tcpdump wireguard wireguard-tools wireshark
					\r\e[33;1mPress Enter to continue or Strg+C to quit... \e[0m"
				read
				apt install -y iftop qubes-core-agent-networking qubes-core-agent-network-manager ncat nmap tcpdump wireguard wireguard-tools wireshark
				echo
				echo -e "\e[36;1mDEBIAN-12-MINIMAL VPN TEMPLATE install successful! Rename template (e.g. d12m-vpn). For proper VPN setup follow this link:
					\r\e[35;5;1mhttps://forum.qubes-os.org/t/wireguard-vpn-setup/19141 \e[0m
					\r\e[36;1mPress ENTER to continue or Strg+C to quit... \e[0m"
				read
				submenu
				;;
			3)
				echo -e "\e[33;1mPreparing APP TEMPLATE! The following will happen:
					\r- Selection of app packages will be installed
					\rPress Enter to continue or Strg+C to quit... \e[0m"
				read
				apt update
				echo
			##installing app selection. change according to your preference
				echo -e "\e[33;1mInstalling the following packages:
					\r\e[31;1mbasez curl eog ffmpegthumbnailer gimp gnome-disk-utility gnome-keyring gnome-screenshot gparted gpa gtkhash gvfs-backends iftop keepassxc kleopatra libblockdev-crypto2 libgdk-pixbuf2.0-bin metadata-cleaner mousepad openssh-client pcscd pciutils psmisc pipewire-qubes qubes-vm-recommended qtqr vlc sshfs system-config-printer tigervnc-viewer wget yubikey-personalization zbar-tools
					\r\e[33;1mPress ENTER to continue or Strg+C to quit... \e[0m"
				read
				apt install -y basez curl eog ffmpegthumbnailer gimp gnome-disk-utility gnome-keyring gnome-screenshot gparted gpa gtkhash gvfs-backends iftop keepassxc kleopatra libblockdev-crypto2 libgdk-pixbuf2.0-bin metadata-cleaner mousepad openssh-client pcscd pciutils psmisc pipewire-qubes qubes-vm-recommended qtqr vlc sshfs system-config-printer tigervnc-viewer thunderbird wget yubikey-personalization zbar-tools
				echo
				echo -e "\e[36;1mDEBIAN-12-MINIMAL APP TEMPLATE install successful! Rename template (e.g. d12m-app). Press ENTER to continue or Strg+C to quit... \e[0m"
				read
				submenu
				;;
			4)
				echo -e "\e[33;1mPreparing FLATPAK TEMPLATE! The following will happen:
					\r- Nescessary packages will be installed
					\r- Flathub repo will be added
					\r- Command to proxy flatpak will be created
					\r- Command to manually upgrade flatpaks will be created
					\rPress Enter to continue or Strg+C to quit... \e[0m"
				read
				apt update
				echo
			##installing nescessary packages. change according to your preference
				echo -e "\e[33;1mInstalling the following packages:
					\r\e[31;1mflatpak gnome-software-plugin-flatpak
					\r\e[33;1mPress ENTER to continue or Strg+C to quit... \e[0m"
				read
				apt install -y flatpak gnome-software-plugin-flatpak
				echo
			##adding flatpakrepo
				echo -e "\e[33;1mAdding FLATUHUB repo! Press ENTER to continue or Strg+C to quit... \e[0m"
				read
				export all_proxy=http://127.0.0.1:8082/
				flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
			##creating command to proxy flatpaks
				echo -e "\e[33;1mCreating command to proxy flatpak commands in template:
					\r\e[35;5;1mflatpak-proxy \e[0m
					\r\e[33;1mPress ENTER to continue or Strg+C to quit... \e[0m"
				read
				cat <<- 'EOF' | tee /opt/bin/flatpak-proxy >/dev/null
					#!/bin/sh
					https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082
				EOF
				chmod +x /opt/bin/flatpak-proxy
				echo
			##creating command to manually update flatpaks
				echo -e "\e[33;1mCreating command to update flatpaks in template:
					\r\e[35;5;1mflatpak-update \e[0m
					\r\e[33;1mPress ENTER to continue or Strg+C to quit... \e[0m"
				read
				cat <<- 'EOF' | tee /opt/bin/flatpak-update >/dev/null
					#!/bin/sh
					https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 flatpak update -y
				EOF
				chmod +x /opt/bin/flatpak-update
				echo
				echo -e "\e[36;1mDEBIAN-12-MINIMAL FLATPAK TEMPLATE install successful! Rename template (e.g. d12m-flatpak). For a more sophisticated setup check out the following link:
					\r\e[35;5;1mhttps://forum.qubes-os.org/t/flatpak-integration-in-qubes-os-templates/20984
					\r\e[35;5;1mhttps://dataswamp.org/~solene/2023-09-15-flatpak-on-qubesos.html \e[0m
					\r\e[36;1mPress ENTER to continue or Strg+C to quit... \e[0m"
				read
				submenu
				;;
			5)
				echo -e "\e[33;1mPreparing WAYDROID TEMPLATE! The script is based on a community guide: 
					\r\e[35;5;1mhttps://forum.qubes-os.org/t/waydroid-template/23356 \e[0m
					\r\e[33;1mPlease check for reference. Press Enter to continue or Strg+C to quit... \e[0m"
				read
				#####
				###run in dom0
				#sudo qubes-dom0-update grub2-xen-pvh
				#qvm-run -u root d12m-waydroid xterm &

				###running script from:
				#https://forum.qubes-os.org/t/waydroid-template/23356

				##installinge waydroid
				apt install -y sway qubes-core-agent-networking pulseaudio ca-certificates extrepo grub2 linux-image-amd64 linux-headers-amd64 qubes-kernel-vm-support
				https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 extrepo enable waydroid
				apt update
				apt install -y waydroid pipewire-pulse

				##configuring waydroid not to sart in container
				mkdir -p /etc/systemd/system/waydroid-container.service.d
				cat <<- 'EOF' | tee /etc/systemd/system/waydroid-container.service.d/override.conf >/dev/null
				[Unit]
				ConditionPathExists=!/run/qubes/this-is-templatevm
				EOF

				##initializing waydroid
				https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 waydroid init

				##installing waydroid clipboard support
				apt install -y curl unzip
				curl --proxy http://127.0.0.1:8082/ --tlsv1.2 --proto =https --max-time 180 https://codeload.github.com/cdown/clipnotify/zip/refs/heads/master -o clipnotify-master.zip
				unzip -j clipnotify-master.zip -d clipnotify
				cd clipnotify

				##build and install clipnotify
				apt install -y build-essential libx11-dev libxtst-dev
				mkdir -p /opt/bin
				sed -i "s|/usr/local|/opt|g" Makefile
				make
				make install
				echo 'export PATH="/opt/bin:$PATH"' >> /etc/profile.d/opt-bin.sh

				##install x11 and wayland clipboard cli tools
				apt install -y xclip wl-clipboard

				##configure sway to run script that will automatically transfer of clipboard content between X11 and Wayland on sway start
				echo "exec /opt/bin/x11-wl-clip.sh" > /etc/sway/config.d/99-x11-wl-clip.conf
				mkdir -p /opt/bin
				cat <<- 'EOF' | tee /opt/bin/x11-wl-clip.sh >/dev/null
				#!/bin/bash
				x11_wl='while DISPLAY=":0" clipnotify -s clipboard; do xclip -d ":0" -selection clipboard -o | wl-copy; done'
				wl_x11='wl-paste -nw xclip -d ":0" -selection clipboard'
				eval "${x11_wl}" &>/dev/null &
				eval "${wl_x11}" &>/dev/null
				pstree -A -p $$ | grep -Eow "[0-9]+" | xargs kill &>/dev/null
				EOF
				chmod +x /opt/bin/x11-wl-clip.sh

				##install pyclip
				apt install -y xclip wl-clipboard pip python3-venv
				python3 -m venv /opt/venv/pyclip
				source /opt/venv/pyclip/bin/activate
				pip install --proxy http://127.0.0.1:8082 pyclip
				deactivate
				echo 'export PATH="$PATH:/opt/venv/pyclip/bin"' >> /etc/profile.d/python-venv.sh
				echo 'export PYTHONPATH="$PYTHONPATH:/opt/venv/pyclip/lib/python3.11/site-packages"' >> /etc/profile.d/python-venv.sh

				##configure firewall
				cat <<- 'EOF' | tee /etc/systemd/system/waydroid-firewall.service >/dev/null
				[Unit]
				ConditionPathExists=!/run/qubes/this-is-templatevm
				PartOf=waydroid-container.service
				After=waydroid-container.service
				BindsTo=waydroid-container.service
				Requires=qubes-iptables.service
				After=qubes-iptables.service
				BindsTo=qubes-iptables.service
				[Service]
				Type=oneshot
				ExecStart=/usr/bin/bash -c "if (nft create chain ip qubes waydroid-input) &>/dev/null; then nft add rule ip qubes custom-input jump waydroid-input; fi"
				ExecStart=/usr/bin/bash -c "if (nft create chain ip qubes waydroid-forward) &>/dev/null; then nft add rule ip qubes custom-forward jump waydroid-forward; fi"
				ExecStart=/usr/sbin/nft add rule ip qubes waydroid-input iifname "waydroid0" meta l4proto {tcp, udp} th dport { 53, 67 } accept
				ExecStart=/usr/sbin/nft add rule ip qubes waydroid-forward iifname "waydroid0" oifgroup 1 accept
				ExecStart=/usr/sbin/nft add rule ip qubes waydroid-forward oifname "waydroid0" iifgroup 1 accept
				ExecStop=/usr/sbin/nft flush chain ip qubes waydroid-input
				ExecStop=/usr/sbin/nft flush chain ip qubes waydroid-forward
				RemainAfterExit=yes
				[Install]
				WantedBy=waydroid-container.service
				EOF
				systemctl daemon-reload
				systemctl enable waydroid-firewall.service

				##disable window title bar
				echo "default_border none" > /etc/sway/config.d/94-disable-window-titlebar.conf
				perl -0777 -i -pe 's/(^\h*bar\s*|\v\h*bar\s*)(\{(?:(?>[^{}]+)|(?-1))*\})//g' /etc/sway/config

				##create desktop file to start waydroid
				apt install -y x11-utils
				cat <<- 'EOF' | tee /opt/bin/sway-waydroid.sh >/dev/null
				#!/bin/bash
				sway &>/dev/null &
				WAYLAND_DISPLAY="wayland-1" XDG_SESSION_TYPE="wayland" DISPLAY=":1" waydroid first-launch &>/dev/null &
				for i in $(seq 1 3);
				do
				    if xwininfo -name "wlroots - X11-1" &>/dev/null; then
					break
				    fi
				    sleep 1
				done
				while xwininfo -name "wlroots - X11-1" &>/dev/null; do
				    sleep 2
				done
				WAYLAND_DISPLAY="wayland-1" XDG_SESSION_TYPE="wayland" DISPLAY=":1" waydroid session stop &>/dev/null
				pstree -A -p $$ | grep -Eow "[0-9]+" | xargs kill &>/dev/null
				EOF
				chmod +x /opt/bin/sway-waydroid.sh

				cat <<- 'EOF' | tee /usr/share/applications/Waydroid-Sway.desktop >/dev/null
				[Desktop Entry]
				Type=Application
				Name=Waydroid-Sway
				Exec=/opt/bin/sway-waydroid.sh
				Icon=waydroid
				Categories=X-WayDroid-App;
				X-Purism-FormFactor=Workstation;Mobile;
				EOF

				##create script to install apk in waydroid
				cat <<- 'EOF' | tee /opt/bin/waydroid-install-apk >/dev/null
				#!/bin/sh
				WAYLAND_DISPLAY="wayland-1" XDG_SESSION_TYPE="wayland" DISPLAY=":1" waydroid app install $1
				EOF
				chmod +x /opt/bin/waydroid-install-apk

				##create script to upgrade waydroid
				cat <<- 'EOF' | tee /opt/bin/waydroid-upgrade >/dev/null
				#!/bin/sh
				https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 waydroid upgrade
				EOF
				chmod +x /opt/bin/waydroid-upgrade

				##create script to reinitialize waydroid after kernel switch
				cat <<- 'EOF' | tee /opt/bin/waydroid-reinitialize >/dev/null
				#!/bin/sh
				https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 waydroid init -f
				EOF
				chmod +x /opt/bin/waydroid-reinitialize

				##install file thunar manager
				apt install -y thunar qubes-core-agent-thunar

				##enable sound in r4.2
				apt install -y pipewire-qubes

				echo -e "\e[36;1mDEBIAN-12-MINIMAL WAYDROID TEMPLATE install successful! Rename template (e.g. d12m-waydroid). The following bash commands were created:
					\r\e[35;5;1m'waydroid-install-apk' for installing apks in appvm running waydroid
					\r'waydroid-upgrade' for manual upgrade of waydroid in template
					\r'waydroid-reinitialize' for reinitializing waydroid after kernel switch \e[0m
					\r\e[36;1mPress ENTER to continue or Strg+C to quit... \e[0m"
				read
				submenu
				;;
			6)
				echo -e "Back to BASIC TEMPLATE install! \e[0m"
				mainmenu
				;;
			7)
				echo -e "Exiting! \e[0m"
				exit 0
				;;
			*)
				echo -e "Wrong choice. Choose again! \e[0m"
				submenu
				;;
		esac

}
#start script
mainmenu

2 Likes

Thanks for sharing this :heart:

Nice to see what other people put in their templates.

Would suggest writing to a separate configuration file in /etc/apt/apt.conf.d for your custom changes instead of /etc/apt/apt.conf

1 Like

Thanks…yeah I might change that with apt.conf…was a little lazy there.

The packages are just a rudimentary selection. As I wrote just adjust it to your needs. The networking packages are chosen for my hardware.

1 Like