Hi folks,
I wrote a little script (dom0-setup.sh) I use to set up dom0 after a fresh install (run as root). Everything is explained in the script . The main goal is to onionize the repos, add some packages and a little prompt to start VMs as root (I like using templates without “passwordless root”). I keep this script in my home directory so I always have it at hand after full system restore from a backup.
Feel free to comment. I might add some stuff in the future…
#!/bin/bash
#####run as root
###set updates to use whonix gateway in global config (Qubes Manager)
##onionizing dom0 repos
cat <<- 'EOF' > /etc/yum.repos.d/qubes-dom0.repo
[qubes-dom0-current]
name = Qubes Host Repository (updates)
#baseurl = https://yum.qubes-os.org/r$releasever/current/host/fc37
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current/host/fc37
#metalink = https://yum.qubes-os.org/r$releasever/current/host/fc37/repodata/repomd.xml.metalink
skip_if_unavailable=False
enabled = 1
metadata_expire = 6h
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary
[qubes-dom0-current-testing]
name = Qubes Host Repository (updates-testing)
#baseurl = https://yum.qubes-os.org/r$releasever/current-testing/host/fc37
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current-testing/host/fc37
#metalink = https://yum.qubes-os.org/r$releasever/current-testing/host/fc37/repodata/repomd.xml.metalink
skip_if_unavailable=False
enabled = 0
metadata_expire = 6h
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary
[qubes-dom0-security-testing]
name = Qubes Host Repository (security-testing)
#baseurl = https://yum.qubes-os.org/r$releasever/security-testing/host/fc37
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/security-testing/host/fc37
#metalink = https://yum.qubes-os.org/r$releasever/security-testing/host/fc37/repodata/repomd.xml.metalink
skip_if_unavailable=False
enabled = 0
metadata_expire = 6h
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary
[qubes-dom0-unstable]
name = Qubes Host Repository (unstable)
#baseurl = https://yum.qubes-os.org/r$releasever/unstable/host/fc37
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/unstable/host/fc37
#metalink = https://yum.qubes-os.org/r$releasever/unstable/host/fc37/repodata/repomd.xml.metalink
skip_if_unavailable=False
enabled = 0
metadata_expire = 6h
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-unstable
EOF
##onionizing template repos
cat <<- 'EOF' > /etc/qubes/repo-templates/qubes-templates.repo
[qubes-templates-itl]
name = Qubes Templates repository
#baseurl = https://yum.qubes-os.org/r$releasever/templates-itl
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-itl
#metalink = https://yum.qubes-os.org/r$releasever/templates-itl/repodata/repomd.xml.metalink
enabled = 1
fastestmirror = 1
metadata_expire = 7d
gpgcheck = 1
gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-primary
[qubes-templates-itl-testing]
name = Qubes Templates repository
#baseurl = https://yum.qubes-os.org/r$releasever/templates-itl-testing
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-itl-testing
#metalink = https://yum.qubes-os.org/r$releasever/templates-itl-testing/repodata/repomd.xml.metalink
enabled = 1
fastestmirror = 1
metadata_expire = 7d
gpgcheck = 1
gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-primary
[qubes-templates-community]
name = Qubes Community Templates repository
#baseurl = https://yum.qubes-os.org/r$releasever/templates-community
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-community
#metalink = https://yum.qubes-os.org/r$releasever/templates-community/repodata/repomd.xml.metalink
enabled = 1
fastestmirror = 1
metadata_expire = 7d
gpgcheck = 1
gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-templates-community
[qubes-templates-community-testing]
name = Qubes Community Templates repository
#baseurl = https://yum.qubes-os.org/r$releasever/templates-community-testing
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-community-testing
#metalink = https://yum.qubes-os.org/r$releasever/templates-community-testing/repodata/repomd.xml.metalink
enabled = 1
fastestmirror = 1
metadata_expire = 7d
gpgcheck = 1
gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-templates-community
EOF
##enabling StandaloneVM and AppVM to use whonix for updates (set service "updates-proxy-setup")
cat <<- 'EOF' > /etc/qubes/policy.d/30-user.policy
qubes.UpdatesProxy * @type:StandaloneVM @default allow target=sys-whonix
qubes.UpdatesProxy * @type:StandaloneVM @anyvm deny
qubes.UpdatesProxy * @type:AppVM @default allow target=sys-whonix
qubes.UpdatesProxy * @type:AppVM @anyvm deny
EOF
##install useful packages (configure to your liking)
qubes-dom0-update -y eog gedit gparted gtkhash grub2-xen-pvh
##create prompt to start vm as root user
mkdir -p /opt/bin
echo 'export PATH="/opt/bin:$PATH"' >> /etc/profile.d/opt-bin.sh
cat <<- 'EOF' > /opt/bin/root-starter
#!/bin/bash
echo "Which qube do you want to start as root?"
read qube
qvm-run -u root $qube xfce4-terminal&
EOF
chmod +x /opt/bin/root-starter
Check out my other little script:
https://forum.qubes-os.org/t/setting-up-debian-12-minimal-and-whonix-17-templates/31181