Continuing the discussion from Setting up debian-12-minimal and whonix-17 templates:
R4.3rc1 is out and with it the new debian-13-minimal template. So I tried to adapt the script from my previous guide. Since there are some changes with the new whonix-17 templates of which I am not fully aware yet I excluded them form this guide.
With this script you will be able to easily setup your debian-13-minimal templates for different use cases (e.g. NETWORKING, VPN, APP, FLATPAK, SIGNAL-Desktop, MULLVAD-Browser; further explained in the menu when running the script).
As previously stated I am not an IT expert - just an interested user. I am sure there are better ways to write up the code. Feel free to test it and to give feedback. If you do not like my package selection you can very easily change it in the script. Please checkout my references to other community guides (highlighted when running the script)!
This script is written to be used with QubesOS R4.3. Run it as root in debian-13-minimal. You might want to use my script-injector (check out the link: Setting up dom0 after fresh install - onionizing repos and other little things ; you will find the script-injector at the end of the script). It allows you to inject scripts from dom0 into a template or vm.
template-setup.sh:
#!/bin/bash
#main menu
function mainmenu {
echo -e "\e[32;1mWelcome to meta-installer. This script is meant to help you set up debian-12-minimal and whonix templates. Choose option to proceed:
\r 1) Basic debian-13-minimal install
\r 2) Advanced debian-13-minimal installs
\r 3) Exit"
read mainmenu_choice
echo
case $mainmenu_choice in
1)
##preparing basic template.
echo -e "\e[33;1mPreparing basic debian-13-minimal template install. The following steps will take place:
\r- APT will be configured to not install recommended and suggested packages.
\r- Template will be onionized.
\r- Template will be upgraded through tor.
\r- A selection of packages will be installed. Changed to your liking in script.
\r- Preparing template to spoofing hostname.
\r- Automatic deletion of empty QubesIncoming folders will be set up.
\r- Directory for placing bash scrips (root user) will be created.
\rPress Enter to continue or Strg+C to quit... \e[0m"
read
##configuring apt to not install recommended and suggested packages.
cat <<- 'EOF' > /etc/apt/apt.conf.d/90no-recommends-no-suggests
APT::Install-Recommends "0";
APT::Install-Suggests "0";
EOF
##updating template.
apt update
echo
##installing apt-transport-tor to onionize debian repositories in next step
apt install -y apt-transport-tor
echo
##oninizing debian repositories. change according to your preferences
cat <<- 'EOF' > /etc/apt/sources.list.d/qubes-r4.list
# Main qubes updates repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.3.gpg ] https://deb.qubes-os.org/r4.3/vm trixie main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.3.gpg ] https://deb.qubes-os.org/r4.3/vm trixie main
# Qubes updates candidates repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.3.gpg] https://deb.qubes-os.org/r4.3/vm trixie-testing main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.3.gpg ] https://deb.qubes-os.org/r4.3/vm trixie-testing main
# Qubes security updates testing repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.3.gpg] https://deb.qubes-os.org/r4.3/vm trixie-securitytesting main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.3.gpg ] https://deb.qubes-os.org/r4.3/vm trixie-securitytesting main
# Qubes experimental/unstable repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.3.gpg] https://deb.qubes-os.org/r4.3/vm trixie-unstable main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.3.gpg ] https://deb.qubes-os.org/r4.3/vm trixie-unstable main
# Qubes Tor updates repositories
# Main qubes updates repository
deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.3.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.3/vm trixie main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.3.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.3/vm trixie main
# Qubes updates candidates repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.3.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.3/vm trixie-testing main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.3.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.3/vm trixie-testing main
# Qubes security updates testing repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.3.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.3/vm trixie-securitytesting main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.3.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.3/vm trixie-securitytesting main
# Qubes experimental/unstable repository
#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.3.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.3/vm trixie-unstable main
#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.3.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.3/vm trixie-unstable main
EOF
cat <<- 'EOF' > /etc/apt/sources.list
#deb https://deb.debian.org/debian trixie main contrib non-free-firmware
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian trixie main contrib non-free-firmware
#deb https://deb.debian.org/debian-security trixie-security main contrib non-free-firmware
deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion trixie-security main contrib non-free-firmware
#deb https://deb.debian.org/debian trixie-backports main contrib non-free-firmware
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian trixie-backports main contrib non-free-firmware
EOF
##updating template through onionized repositories repositories.
apt update
echo
##upgrading template.
apt upgrade -y
echo
##installing basic packages. change according to your preferences.
apt install -y curl qubes-core-agent-networking qubes-core-agent-thunar qubes-kernel-vm-support qubes-usb-proxy thunar wget wireshark xfce4-notifyd xfce4-terminal zenity
echo
##preparing template to spoofing hostname.
bash -c 'mkdir -p /rw/config/protected-files.d/ && echo -e "/etc/hosts\n/etc/hostname" > /rw/config/protected-files.d/protect_hostname.txt'
##setting PATH to /opt/bin for bash scripts on root level.
cat <<- 'EOF' > /etc/profile.d/opt-bin.sh
export PATH="/opt/bin:$PATH"
EOF
##setting up automatic deletion of empty QubesIncoming folders..
mkdir /opt/bin
cat <<- 'EOF' > /opt/bin/clean-incoming
#!/bin/sh
test ! -d /home/user/QubesIncoming || find '/home/user/QubesIncoming/' -mindepth 1 -type d -exec rmdir '{}' \;
EOF
chmod +x /opt/bin/clean-incoming
cat <<- 'EOF' > /etc/systemd/system/clean-incoming.service
[Unit]
Description=Empty QubesIncoming
[Service]
ExecStart=/opt/bin/clean-incoming
[Install]
WantedBy=multi-user.target
EOF
systemctl enable clean-incoming
systemctl start clean-incoming
echo
##finishing BASIC TEMPLATE install.
echo -e "\e[32;1mDEBIAN-13-MINIMAL basic TEMPLATE install successful! Rename template (e.g. d13m). Press ENTER to continue or Strg+C to quit... \e[0m"
read
mainmenu
;;
2)
submenu
;;
3)
echo -e "Exiting! \e[0m"
exit 0
;;
*)
echo -e "Wrong choice. Choose again! \e[0m"
mainmenu
;;
esac
}
##function for advanced TEMPLATE installs
function submenu {
echo -e "\e[36;1mYou have successfully installed your basic debian-13-minimal. Now choose an advanced debian-13-minimal install. You can combine the installs. Just re-run the script:
\r 1) NETWORKING TEMPLATE with (MAC and HOSTNAME spoofing)
\r 2) VPN TEMPLATE
\r 3) APP TEMPLATE
\r 4) FLATPAK TEMPLATE
\r 5) WAYDROID TEMPLATE
\r 6) SIGNAL-Dektop TEMPLATE
\r 7) MULLVAD-Browser TEMPLATE
\r 8) Back to basic TEMPLATE install
\r 9) Exit"
read submenu_choice
echo
case $submenu_choice in
1)
echo -e "\e[33;1mPreparing NETWORKING TEMPLATE. The following will happen:
\r- Networking packages will be installed
\r- MAC will be spoofed
\r- Hostname will be spoofed
\rPress Enter to continue or Strg+C to quit... \e[0m"
read
##installing networking packages. change according to your prefernces.
apt update
apt install -y dnsmasq-base firmware-iwlwifi firmware-misc-nonfree iftop openssh-client qubes-core-agent-networking qubes-core-agent-network-manager ncat nmap tcpdump wakeonlan wireshark wpasupplicant
echo
##to fully disable ipv6 set template kernelopts to "ivp6.disable=1".
echo -e "\e[33;1mIf you want to disable ipv6 set kernelopts in dom0 (optional):
\r\e[35;5;1m$ qvm-prefs [vmname] kernelopts ipv6.disable=1\e[0m
\r\e[33;1mPress ENTER to continue or Strg+C to quit... \e[0m"
read
##spoof mac.
cat <<- 'EOF' > /etc/NetworkManager/conf.d/00-macrandomize.conf
[device]
wifi.scan-rand-mac-address=yes
[connection]
wifi.cloned-mac-address=stable
ethernet.cloned-mac-address=stable
connection.stable-id=${CONNECTION}/${BOOT}
ipv6.dhcp-duid=stable-uuid
#use random IPv6 addresses per session / don't leak MAC via IPv6 (cf. RFC 4941):
ipv6.ip6-privacy=2
EOF
##spoof hostname
cat <<- 'EOF' > /etc/network/if-pre-up.d/00_hostname
#!/bin/bash
set -e -o pipefail
if [ -f "/rw/config/protected-files.d/protect_hostname.txt" ] && rand="$RANDOM" && mv "/etc/hosts.lock" "/etc/hosts.lock.$rand" ; then
name="PC-$rand"
echo "$name" > /etc/hostname
hostname "$name"
if [ -e /etc/debian_version ]; then
ipv4_localhost_re="127\.0\.1\.1"
else
ipv4_localhost_re="127\.0\.0\.1"
fi
sed -i "s/^\($ipv4_localhost_re\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
sed -i "s/^\(::1\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
fi
exit 0
EOF
chmod +x /etc/network/if-pre-up.d/00_hostname
touch /etc/hosts.lock
echo -e "\e[36;1mDEBIAN-13-MINIMAL NETWORKING TEMPLATE install successful! Rename template (e.g. d13m-net). Execute the following command in your NetVM to spoof hostname:
\r\e[36;1mPress ENTER to continue or Strg+C to quit..."
read
submenu
;;
2)
echo -e "\e[33;1mPreparing VPN TEMPLATE! The following will happen:
\r- Networking and WIREGUARD packages will be installed.
\r- Random VPN autostart will be implemented via systemd service.
\rPress Enter to continue or Strg+C to quit... \e[0m"
read
echo
apt update
echo
##installing networking and vpn packages//no MAC spoofing - it breaks the vpn!
apt install -y iftop qubes-core-agent-networking qubes-core-agent-network-manager ncat nmap tcpdump wireguard wireguard-tools wireshark
echo
##setting up autostart for random VPN as service.
mkdir /opt/bin
cat <<- 'EOF' > /opt/bin/random-vpn
#!/bin/sh
sleep 2
RANDOM_VPN=$(nmcli connection show | awk '/wireguard/ { print $1 }' | sort -R | head -n 1)
nmcli connection up "$RANDOM_VPN"
EOF
chmod +x /opt/bin/random-vpn
cat <<- 'EOF' > /etc/systemd/system/random-vpn.service
[Unit]
Description=random vpn
[Service]
ExecStart=/opt/bin/random-vpn
[Install]
WantedBy=multi-user.target
EOF
systemctl enable random-vpn
systemctl start random-vpn
echo
##script to install multiple wireguard configuration files and setting up firewall rules
##run as root
cat <<- 'EOF' > /opt/bin/wireguard-setup
#!/bin/bash
#delete old wiregurad connections
mapfile -t old_wg < <(nmcli -t -f NAME,TYPE connection show | awk -F: '$2=="wireguard"{print $1}')
for name in "${old_wg[@]}"; do
[ -n "$name" ] || continue
nmcli connection delete "$name"
done
#choose wireguard conf files you want to import
selection="$(GTK_THEME=Adwaita:dark zenity --file-selection \
--title="Choose wireguard conf files you want to import (*.conf)" \
--multiple \
--separator="|" \
--file-filter="*.conf | *.conf" \
--file-filter="... | *" || true)"
[ -n "${selection}" ] || exit 0
IFS='|' read -r -a confs <<< "$selection"
#nmcli file import
for conf in "${confs[@]}"; do
nmcli connection import type wireguard file "$conf"
done
#deactivate autoconnect and discoonect all connections
mapfile -t wg_names < <(nmcli -t -f NAME,TYPE connection show | awk -F: '$2=="wireguard"{print $1}')
for name in "${wg_names[@]}"; do
nmcli connection modify "$name" connection.autoconnect no
nmcli connection down "$name" >/dev/null 2>&1 || true
done
zenity --info --text="Done.\nImported: ${#confs[@]}\nautoconnect deactivated."
#setting up custom firewall rules.
mkdir /rw/config/qubes-firewall.d
read -p "Setting up firewall to provide killswitch. Do not forget to enable qubes-firewall service in qube settings. Input your cutsom DNS for leak protection (check wireguard conf files): " DNS
cat <<- EOT > /rw/config/qubes-firewall.d/custom-firewall
#!/bin/bash
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS"
EOT
chmod +x /rw/config/qubes-firewall.d/custom-firewall
EOF
chmod +x /opt/bin/wireguard-setup
echo -e "\e[36;1mDEBIAN-13-MINIMAL VPN TEMPLATE install successful! Rename template (e.g. d13m-vpn). To set up your VPN qube run the wireguard-importer script as root. For further VPN setup follow this link:
\r\e[35;5;1mhttps://forum.qubes-os.org/t/wireguard-vpn-setup/19141 \e[0m
\r\e[36;1mPress ENTER to continue or Strg+C to quit... \e[0m"
read
submenu
;;
3)
echo -e "\e[33;1mPreparing APP TEMPLATE! The following will happen:
\r- Selection of app packages will be installed
\rPress Enter to continue or Strg+C to quit... \e[0m"
read
echo
apt update
echo
##installing app selection. change according to your preference.
apt install -y adb basez cups eog ffmpegthumbnailer firefox-esr gimp git gnome-disk-utility gnome-keyring gnome-screenshot gparted gtkhash gvfs-backends iftop keepassxc kleopatra libblockdev-crypto3 libgdk-pixbuf2.0-bin libreoffice metadata-cleaner mousepad openssh-client pcscd pciutils psmisc pipewire pipewire-alsa pipewire-audio pipewire-qubes qubes-u2f qubes-vm-recommended qtqr vlc simple-scan ssh-askpass-gnome sshfs system-config-printer tigervnc-viewer thunderbird tumbler tumbler-plugins-extra wakeonlan wireshark wget yubikey-personalization zbar-tools zenity
echo
##removing passwordless root which was installed with qubes-vm-recommended.
apt remove -y qubes-core-agent-passwordless-root
echo
echo -e "\e[36;1mDEBIAN-13-MINIMAL APP TEMPLATE install successful! Rename template (e.g. d13m-app). Press ENTER to continue or Strg+C to quit... \e[0m"
read
submenu
;;
4)
echo -e "\e[33;1mPreparing FLATPAK TEMPLATE! The following will happen:
\r- Nescessary packages will be installed
\r- Flathub repo will be added
\r- Command to proxy flatpak will be created
\r- Command to manually upgrade flatpaks will be created
\rPress Enter to continue or Strg+C to quit... \e[0m"
read
echo
apt update
echo
##installing nescessary packages. change according to your preferences.
apt install -y flatpak gnome-software-plugin-flatpak
echo
##adding flatpakrepo
export all_proxy=http://127.0.0.1:8082/
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
##creating script to install flatpaks from FLATHUB in template
echo
cat <<- 'EOF' | tee /opt/bin/flathub-install >/dev/null
#!/bin/sh
echo "\e[33;1mTo install flatpak paste prompt line from FLATHUB:\e[0m"
read PROMPT_LINE
export all_proxy=http://127.0.0.1:8082/
$PROMPT_LINE
EOF
chmod +x /opt/bin/flathub-install
echo
##creating script to update flatpaks
echo
cat <<- 'EOF' | tee /opt/bin/flatpak-update >/dev/null
#!/bin/sh
export all_proxy=http://127.0.0.1:8082/
flatpak update -y
EOF
chmod +x /opt/bin/flatpak-update
echo
echo -e "\e[36;1mDEBIAN-13-MINIMAL FLATPAK TEMPLATE install successful! Rename template (e.g. d13m-flatpak). For a more sophisticated setup check out the following link:
\r\e[35;5;1mhttps://forum.qubes-os.org/t/flatpak-integration-in-qubes-os-templates/20984
\r\e[36;1mPress ENTER to continue or Strg+C to quit... \e[0m"
read
submenu
;;
5)
echo -e "\e[33;1mPreparing WAYDROID TEMPLATE! The script is based on a community guide:
\r\e[35;5;1mhttps://forum.qubes-os.org/t/waydroid-template/23356 \e[0m
\r\e[33;1mPlease check for reference. Press Enter to continue or Strg+C to quit... \e[0m"
read
#####
###run in dom0
#sudo qubes-dom0-update grub2-xen-pvh
#qvm-run -u root d12m-waydroid xterm &
###running script from:
#https://forum.qubes-os.org/t/waydroid-template/23356
cat <<- 'EOF' > /etc/apt/apt.conf.d/90no-recommends-no-suggests
APT::Install-Recommends "0";
APT::Install-Suggests "0";
EOF
apt update
##installing waydroid
apt install -y sway qubes-core-agent-networking pulseaudio ca-certificates extrepo grub2 linux-image-amd64 linux-headers-amd64 qubes-kernel-vm-support
https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 extrepo enable waydroid
apt update
apt install -y waydroid pipewire-pulse
##configuring waydroid not to sart in container
mkdir -p /etc/systemd/system/waydroid-container.service.d
cat <<- 'EOF' | tee /etc/systemd/system/waydroid-container.service.d/override.conf >/dev/null
[Unit]
ConditionPathExists=!/run/qubes/this-is-templatevm
EOF
##initializing waydroid
https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 waydroid init
##installing waydroid clipboard support
apt install -y curl unzip
curl --proxy http://127.0.0.1:8082/ --tlsv1.2 --proto =https --max-time 180 https://codeload.github.com/cdown/clipnotify/zip/refs/heads/master -o clipnotify-master.zip
unzip -j clipnotify-master.zip -d clipnotify
cd clipnotify
##build and install clipnotify
apt install -y build-essential libx11-dev libxtst-dev
mkdir -p /opt/bin
sed -i "s|/usr/local|/opt|g" Makefile
make
make install
echo 'export PATH="/opt/bin:$PATH"' >> /etc/profile.d/opt-bin.sh
##install x11 and wayland clipboard cli tools
apt install -y xclip wl-clipboard
##configure sway to run script that will automatically transfer of clipboard content between X11 and Wayland on sway start
echo "exec /opt/bin/x11-wl-clip.sh" > /etc/sway/config.d/99-x11-wl-clip.conf
mkdir -p /opt/bin
cat <<- 'EOF' | tee /opt/bin/x11-wl-clip.sh >/dev/null
#!/bin/bash
x11_wl='while DISPLAY=":0" clipnotify -s clipboard; do xclip -d ":0" -selection clipboard -o | wl-copy; done'
wl_x11='wl-paste -nw xclip -d ":0" -selection clipboard'
eval "${x11_wl}" &>/dev/null &
eval "${wl_x11}" &>/dev/null
pstree -A -p $$ | grep -Eow "[0-9]+" | xargs kill &>/dev/null
EOF
chmod +x /opt/bin/x11-wl-clip.sh
##install pyclip
apt install -y xclip wl-clipboard pip python3-venv
python3 -m venv /opt/venv/pyclip
source /opt/venv/pyclip/bin/activate
pip install --proxy http://127.0.0.1:8082 pyclip
deactivate
echo 'export PATH="$PATH:/opt/venv/pyclip/bin"' >> /etc/profile.d/python-venv.sh
echo 'export PYTHONPATH="$PYTHONPATH:/opt/venv/pyclip/lib/python3.11/site-packages"' >> /etc/profile.d/python-venv.sh
##configure firewall
cat <<- 'EOF' | tee /etc/systemd/system/waydroid-firewall.service >/dev/null
[Unit]
ConditionPathExists=!/run/qubes/this-is-templatevm
PartOf=waydroid-container.service
After=waydroid-container.service
BindsTo=waydroid-container.service
Requires=qubes-iptables.service
After=qubes-iptables.service
BindsTo=qubes-iptables.service
[Service]
Type=oneshot
ExecStart=/usr/bin/bash -c "if (nft create chain ip qubes waydroid-input) &>/dev/null; then nft add rule ip qubes custom-input jump waydroid-input; fi"
ExecStart=/usr/bin/bash -c "if (nft create chain ip qubes waydroid-forward) &>/dev/null; then nft add rule ip qubes custom-forward jump waydroid-forward; fi"
ExecStart=/usr/sbin/nft add rule ip qubes waydroid-input iifname "waydroid0" meta l4proto {tcp, udp} th dport { 53, 67 } accept
ExecStart=/usr/sbin/nft add rule ip qubes waydroid-forward iifname "waydroid0" oifgroup 1 accept
ExecStart=/usr/sbin/nft add rule ip qubes waydroid-forward oifname "waydroid0" iifgroup 1 accept
ExecStop=/usr/sbin/nft flush chain ip qubes waydroid-input
ExecStop=/usr/sbin/nft flush chain ip qubes waydroid-forward
RemainAfterExit=yes
[Install]
WantedBy=waydroid-container.service
EOF
systemctl daemon-reload
systemctl enable waydroid-firewall.service
##disable window title bar
echo "default_border none" > /etc/sway/config.d/94-disable-window-titlebar.conf
perl -0777 -i -pe 's/(^\h*bar\s*|\v\h*bar\s*)(\{(?:(?>[^{}]+)|(?-1))*\})//g' /etc/sway/config
##create desktop file to start waydroid
apt install -y x11-utils
cat <<- 'EOF' | tee /opt/bin/sway-waydroid.sh >/dev/null
#!/bin/bash
sway &>/dev/null &
WAYLAND_DISPLAY="wayland-1" XDG_SESSION_TYPE="wayland" DISPLAY=":1" waydroid first-launch &>/dev/null &
for i in $(seq 1 3);
do
if xwininfo -name "wlroots - X11-1" &>/dev/null; then
break
fi
sleep 1
done
while xwininfo -name "wlroots - X11-1" &>/dev/null; do
sleep 2
done
WAYLAND_DISPLAY="wayland-1" XDG_SESSION_TYPE="wayland" DISPLAY=":1" waydroid session stop &>/dev/null
pstree -A -p $$ | grep -Eow "[0-9]+" | xargs kill &>/dev/null
EOF
chmod +x /opt/bin/sway-waydroid.sh
cat <<- 'EOF' | tee /usr/share/applications/Waydroid-Sway.desktop >/dev/null
[Desktop Entry]
Type=Application
Name=Waydroid-Sway
Exec=/opt/bin/sway-waydroid.sh
Icon=waydroid
Categories=X-WayDroid-App;
X-Purism-FormFactor=Workstation;Mobile;
EOF
##create script to install apk in waydroid
cat <<- 'EOF' | tee /opt/bin/waydroid-install-apk >/dev/null
#!/bin/sh
WAYLAND_DISPLAY="wayland-1" XDG_SESSION_TYPE="wayland" DISPLAY=":1" waydroid app install $1
EOF
chmod +x /opt/bin/waydroid-install-apk
##create script to upgrade waydroid
cat <<- 'EOF' | tee /opt/bin/waydroid-upgrade >/dev/null
#!/bin/sh
https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 waydroid upgrade
EOF
chmod +x /opt/bin/waydroid-upgrade
##create script to reinitialize waydroid after kernel switch
cat <<- 'EOF' | tee /opt/bin/waydroid-reinitialize >/dev/null
#!/bin/sh
https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 waydroid init -f
EOF
chmod +x /opt/bin/waydroid-reinitialize
##install file thunar manager
apt install -y thunar qubes-core-agent-thunar
##enable sound in r4.2
apt install -y pipewire-qubes
echo -e "\e[36;1mDEBIAN-13-MINIMAL WAYDROID TEMPLATE install successful! Rename template (e.g. d13m-waydroid). The following bash commands were created:
\r\e[35;5;1m'waydroid-install-apk' for installing apks in appvm running waydroid
\r'waydroid-upgrade' for manual upgrade of waydroid in template
\r'waydroid-reinitialize' for reinitializing waydroid after kernel switch \e[0m
\r\e[36;1mPress ENTER to continue or Strg+C to quit... \e[0m"
read
submenu
;;
6)
echo -e "\e[33;1mPreparing SIGNAL-Desktop TEMPLATE! The following will happen:
\r- Nescessary packages will be installed from SIGNAL repository.
\rPress Enter to continue or Strg+C to quit... \e[0m"
read
echo
export https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082
# NOTE: These instructions only work for 64-bit Debian-based
# Linux distributions such as Ubuntu, Mint etc.
# 1. Install our official public software signing key:
wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > signal-desktop-keyring.gpg;
cat signal-desktop-keyring.gpg | sudo tee /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null
# 2. Add our repository to your list of repositories:
wget -O signal-desktop.sources https://updates.signal.org/static/desktop/apt/signal-desktop.sources;
cat signal-desktop.sources | sudo tee /etc/apt/sources.list.d/signal-desktop.sources > /dev/null
# 3. Update your package database and install Signal:
apt update && apt install -y signal-desktop grub2 linux-image-amd64 linux-headers-amd64 qubes-kernel-vm-support
echo -e "\e[36;1mDEBIAN-13-MINIMAL APP TEMPLATE install successful! Rename template (e.g. d13m-app). Press ENTER to continue or Strg+C to quit... \e[0m"
read
submenu
;;
7)
echo -e "\e[33;1mPreparing MULLVAD-Browser TEMPLATE! The following will happen:
\r- Nescessary packages will be installed from SIGNAL repository.
\rPress Enter to continue or Strg+C to quit... \e[0m"
read
echo
export https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082
# Download the Mullvad signing key
curl -fsSLo /usr/share/keyrings/mullvad-keyring.asc https://repository.mullvad.net/deb/mullvad-keyring.asc
# Add the Mullvad repository server to apt
echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/stable stable main" | tee /etc/apt/sources.list.d/mullvad.list
# Install the package
apt update
apt install -y mullvad-browser grub2 linux-image-amd64 linux-headers-amd64 qubes-kernel-vm-support
echo -e "\e[36;1mDEBIAN-13-MINIMAL APP TEMPLATE install successful! Rename template (e.g. d13m-app). Press ENTER to continue or Strg+C to quit... \e[0m"
read
submenu
;;
8)
echo -e "Back to BASIC TEMPLATE install! \e[0m"
mainmenu
;;
9)
echo -e "Exiting! \e[0m"
exit 0
;;
*)
echo -e "Wrong choice. Choose again! \e[0m"
submenu
;;
esac
}
#start script
mainmenu