Setting up dom0 after fresh install - onionizing repos and other little things

Community Guides
, ,
1

Hi folks,

I updated my little script I use to set up dom0 after a fresh install (run as root). It runs now with R4.3. Everything is explained in the script . The main goal is to onionize the repos, add some packages and some useful scripts (COPY STUFF TO VM; WIREGUARD SETUP; ROOT STARTER; SCRIPT INJECTOR; WIRESHARK ROOT STARTER) to mainly handle templates and other vms as root. I keep this script in my home directory so I always have it at hand after a full system restore from a backup.
Feel free to comment. I might add some stuff in the future…

dom0-setup.sh

#!/bin/bash

#####run as root!!!

##onionizing repos
cat <<- 'EOF' > /etc/yum.repos.d/qubes-dom0.repo
[qubes-dom0-current]
name = Qubes Host Repository (updates)
#baseurl = https://yum.qubes-os.org/r$releasever/current/host/fc41
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current/host/fc41
#metalink = https://yum.qubes-os.org/r$releasever/current/host/fc41/repodata/repomd.xml.metalink
skip_if_unavailable=False
enabled = 1
metadata_expire = 6h
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary

[qubes-dom0-current-testing]
name = Qubes Host Repository (updates-testing)
#baseurl = https://yum.qubes-os.org/r$releasever/current-testing/host/fc41
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current-testing/host/fc41
#metalink = https://yum.qubes-os.org/r$releasever/current-testing/host/fc41/repodata/repomd.xml.metalink
skip_if_unavailable=False
enabled = 1
metadata_expire = 6h
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary

[qubes-dom0-security-testing]
name = Qubes Host Repository (security-testing)
#baseurl = https://yum.qubes-os.org/r$releasever/security-testing/host/fc41
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/security-testing/host/fc41
#metalink = https://yum.qubes-os.org/r$releasever/security-testing/host/fc41/repodata/repomd.xml.metalink
skip_if_unavailable=False
enabled = 1
metadata_expire = 6h
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary

[qubes-dom0-unstable]
name = Qubes Host Repository (unstable)
#baseurl = https://yum.qubes-os.org/r$releasever/unstable/host/fc41
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/security-testing/host/fc41
#metalink = https://yum.qubes-os.org/r$releasever/unstable/host/fc41/repodata/rpodata/repomd.xml.metalink
skip_if_unavailable=False
enabled = 0
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-unstable
EOF


cat <<- 'EOF' > /etc/qubes/repo-templates/qubes-templates.repo
[qubes-templates-itl]
name = Qubes Templates repository
#baseurl = https://yum.qubes-os.org/r$releasever/templates-itl
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-itl
#metalink = https://yum.qubes-os.org/r$releasever/templates-itl/repodata/repomd.xml.metalink
enabled = 1
fastestmirror = 1
metadata_expire = 7d
gpgcheck = 1
gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-primary

[qubes-templates-itl-testing]
name = Qubes Templates repository
#baseurl = https://yum.qubes-os.org/r$releasever/templates-itl-testing
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-itl-testing
#metalink = https://yum.qubes-os.org/r$releasever/templates-itl-testing/repodata/repomd.xml.metalink
enabled = 1
fastestmirror = 1
metadata_expire = 7d
gpgcheck = 1
gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-primary

[qubes-templates-community]
name = Qubes Community Templates repository
#baseurl = https://yum.qubes-os.org/r$releasever/templates-community
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-community
#metalink = https://yum.qubes-os.org/r$releasever/templates-community/repodata/repomd.xml.metalink
enabled = 1
fastestmirror = 1
metadata_expire = 7d
gpgcheck = 1
gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-templates-community

[qubes-templates-community-testing]
name = Qubes Community Templates repository
#baseurl = https://yum.qubes-os.org/r$releasever/templates-community-testing
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-community-testing
#metalink = https://yum.qubes-os.org/r$releasever/templates-community-testing/repodata/repomd.xml.metalink
enabled = 1
fastestmirror = 1
metadata_expire = 7d
gpgcheck = 1
gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-templates-community
EOF


##editing policy to update StandaloneVMs and AppVMs
cat <<- 'EOF' > /etc/qubes/policy.d/30-user.policy
qubes.UpdatesProxy * @type:StandaloneVM @default allow target=sys-whonix
qubes.UpdatesProxy * @type:StandaloneVM @anyvm deny
qubes.UpdatesProxy * @type:AppVM @default allow target=sys-whonix
qubes.UpdatesProxy * @type:AppVM @anyvm deny
EOF


##installing some usefull packages to dom0
qubes-dom0-update -y eog gedit google-authenticator gparted gtkhash grub2-xen-pvh keepassxc ykpers xpad


######some useful scripts###########
####################################
USER_NAME=$(id -nu 1000)
mkdir /home/$USER_NAME/.local/bin
mkdir /home/$USER_NAME/.local/share/applications			

##copy-stuff-to-vm: script to copy stuff from dom0 (e.g. screenshots) to VM
cat <<- 'EOF' > /home/$USER_NAME/.local/bin/copy-stuff-to-vm
#!/bin/bash
FILE=$(GTK_THEME=Adwaita:dark zenity --file-selection --multiple --title="Choose files you want to copy to VM!")
if [ -n "$FILE" ]; then
all_vms=$(qvm-ls --raw-list)
QUBE=$(printf "%s\n" "${all_vms[@]}" | GTK_THEME=Adwaita:dark zenity --list --title="Choose VM you want to copy files to!" --column="..." --height=400 --width=400 --print-column=1)
qvm-copy-to-vm $QUBE $FILE
else
sleep 1
fi
EOF
chmod +x /home/$USER_NAME/.local/bin/copy-stuff-to-vm
#creating dektop entry
cat <<- 'EOF' > /home/$USER_NAME/.local/share/applications/x-copy-stuff-to-vm.desktop
[Desktop Entry]
Name=COPY STUFF TO VM
Type=Script
Terminal=false
Exec=copy-stuff-to-vm
Icon=/usr/share/icons/Mint-X/actions/48/document-export.png
EOF


##root-starter: starting vms as root
cat <<- 'EOF' > /home/$USER_NAME/.local/bin/root-starter
#!/bin/bash
all_vms=$(qvm-ls --raw-list)
QUBE=$(printf "%s\n" "${all_vms[@]}" | GTK_THEME=Adwaita:dark zenity --list --title="Choose VM you want to run as root!" --column="..." --height=400 --width=400 --print-column=1)
qvm-run -u root $QUBE xfce4-terminal
EOF
chmod +x /home/$USER_NAME/.local/bin/root-starter
#creating dektop entry
cat <<- 'EOF' > /home/$USER_NAME/.local/share/applications/x-root-starter.desktop
[Desktop Entry]
Name=ROOT STARTER
Type=Script
Terminal=false
Exec=root-starter
Icon=/usr/share/icons/Mint-X/actions/48/media-playback-start.png
EOF


##script-injector: inserting scripts from dom0 into VM and running them 
cat <<- 'EOF' > /home/$USER_NAME/.local/bin/script-injector
#!/bin/bash
FILE=$(GTK_THEME=Adwaita:dark zenity --file-selection --title="Choose script you want to run in VM!")
if [ -n "$FILE" ]; then
cp "$FILE" injection.sh
chmod +x injection.sh
all_vms=$(qvm-ls --raw-list)
QUBE=$(printf "%s\n" "${all_vms[@]}" | GTK_THEME=Adwaita:dark zenity --list --title="Choose VM you want to run the script in!" --column="..." --height=400 --width=400 --print-column=1)
qvm-copy-to-vm $QUBE injection.sh
qvm-run -u root $QUBE xterm -e "bash /home/user/QubesIncoming/dom0/injection.sh && rm /home/user/QubesIncoming/dom0/*.* && rmdir /home/user/QubesIncoming/dom0 && poweroff; bash"
rm injection.sh
else
sleep 1
fi
EOF
chmod +x /home/$USER_NAME/.local/bin/script-injector
#creating dektop entry
cat <<- 'EOF' > /home/$USER_NAME/.local/share/applications/x-script-injector.desktop
[Desktop Entry]
Name=SCRIPT INJECTOR
Type=Script
Terminal=false
Exec=script-injector
Icon=/usr/share/icons/Mint-X/actions/48/document-import.png
EOF


##template-updater: script to start updates for waydroid and flatpak templates from dom0. only works with corresponding scripts in given templates.
cat <<- 'EOF' > /home/$USER_NAME/.local/bin/template-updater
#!/bin/bash
all_vms=$(qvm-ls --raw-list)
WAYDROID=$(printf "%s\n" "${all_vms[@]}" | GTK_THEME=Adwaita:dark zenity --list --title="Choose WAYDROID template you want to update!" --column="..." --height=400 --width=400 --print-column=1)
qvm-run -u root $WAYDROID xfce4-terminal --command="bash -c 'waydroid-upgrade && poweroff'" &
FLATPAK=$(printf "%s\n" "${all_vms[@]}" | GTK_THEME=Adwaita:dark zenity --list --title="Choose FLATPAK template you want to update!" --column="..." --height=400 --width=400 --print-column=1)
qvm-run -u root $FLATPAK xfce4-terminal --command="bash -c 'flatpak-update && poweroff'" &
exit 0
EOF
chmod +x /home/$USER_NAME/.local/bin/template-updater
#creating dektop entry
cat <<- 'EOF' > /home/$USER_NAME/.local/share/applications/x-template-updater.desktop
[Desktop Entry]
Name=TEMPLATE UPDATER
Type=Script
Terminal=false
Exec=template-updater
Icon=/usr/share/icons/Mint-X/actions/48/object-rotate-left.png
EOF


##wirguard-setup: script to setup your vpn service qube. only works with corresponding script in given templates.
cat <<- 'EOF' > /home/$USER_NAME/.local/bin/wireguard-setup
#!/bin/bash
all_vms=$(qvm-ls --raw-list)
QUBE=$(printf "%s\n" "${all_vms[@]}" | GTK_THEME=Adwaita:dark zenity --list --title="Choose VPN service qube you want to setup!" --column="..." --height=400 --width=400 --print-column=1)
#setting up internal firewall of service qube
qvm-service $QUBE --enable qubes-firewall
#running setup script inside service qube. 
qvm-run -u root $QUBE xfce4-terminal --command="bash -c 'wireguard-setup && poweroff'" &
EOF
chmod +x /home/$USER_NAME/.local/bin/wireguard-setup
#creating dektop entry
cat <<- 'EOF' > /home/$USER_NAME/.local/share/applications/x-wireguard-setup.desktop
[Desktop Entry]
Name=WIREGUARD SETUP
Type=Script
Terminal=false
Exec=wireguard-setup
Icon=/usr/share/icons/Mint-X/apps/48/cs-privacy.png
EOF


##wireshark-starter: script to start wireshark as root in vm from dom0
cat <<- 'EOF' > /home/$USER_NAME/.local/bin/wireshark-root-starter
#!/bin/bash
all_vms=$(qvm-ls --raw-list)
QUBE=$(printf "%s\n" "${all_vms[@]}" | GTK_THEME=Adwaita:dark zenity --list --title="Choose VM you want to copy shit to!" --column="..." --height=400 --width=400 --print-column=1)
qvm-run -u root $QUBE wireshark
EOF
chmod +x /home/$USER_NAME/.local/bin/wireshark-root-starter
#creating dektop entry
cat <<- 'EOF' > /home/$USER_NAME/.local/share/applications/x-wireshark-root-starter.desktop
[Desktop Entry]
Name=WIRESHARK ROOT STARTER
Type=Script
Terminal=false
Exec=wireshark-root-starter
Icon=/usr/share/icons/Mint-X/apps/48/wireshark.png
EOF


chown -R $USER_NAME:$USER_NAME /home/$USER_NAME/.local/

Check out my other little script:
https://forum.qubes-os.org/t/setting-up-debian-13-minimal-templates-with-bash-script/36004

2 Likes