#!/bin/bash ####################################################################### # File Name : debian-minimal-arkenfox-named-disposable.sh # Description : This script creates a named disposable Firefox ESR # qube based on Debian minimal template with hardened # user.js, policies and extensions. # Dependencies : curl # Usage : • Transfer this script from appvm to dom0 with: # [user@dom0 ~]$ qvm-run --pass-io appvm 'cat ~/debian-minimal-arkenfox-named-disposable.sh' > ~/debian-minimal-arkenfox-named-disposable.sh # • Make the script executable with: # [user@dom0 ~]$ chmod +x ~/debian-minimal-arkenfox-named-disposable.sh # • Run the script with: # [user@dom0 ~]$ bash ~/debian-minimal-arkenfox-named-disposable.sh # Author : Me and the bois # License : Free of charge, no warranty # Last edited : 2025-11-08 ####################################################################### # Safety check set -eu # Configuration BASE_TEMPLATE="debian-12-minimal" CUSTOM_TEMPLATE="debian-arkenfox-template" DISP_TEMPLATE="debian-arkenfox-template-dvm" NAMED_DISP_VM="disp-arkenfox" NET_VM="sys-firewall" BROWSER_PKG="firefox-esr" # Arkenfox user.js URL (ajust as you need) USER_JS="https://raw.githubusercontent.com/arkenfox/user.js/master/user.js" # USER_JS="https://www.privacy-handbuch.de/download/moderat/user.js" # Generate policies.json content (ajust as you need) generate_policies_json() { cat <<'EOF' { "policies":{ "SSLVersionMin":"tls1.2", "EnableTrackingProtection":{ "Value":true, "Locked":true, "Cryptomining":true, "Fingerprinting":true }, "Cookies":{ "AcceptThirdParty":"never", "Behavior":"reject-tracker-and-partition-foreign", "BehaviorPrivateBrowsing":"reject-tracker-and-partition-foreign", "Locked":false }, "DisabledCiphers":{ "TLS_RSA_WITH_3DES_EDE_CBC_SHA":true }, "Bookmarks":[ { "Title":"Qubes OS forum", "URL":"https://forum.qubes-os.org/", "Favicon":"", "Placement":"toolbar" }, { "Title":"Qubes OS Documentation", "URL":"https://doc.qubes-os.org/en/latest/index.html", "Favicon":"", "Placement":"toolbar" }, { "Title":"Wired", "URL":"https://www.wired.com/", "Favicon":"", "Placement":"toolbar" }, { "Title":"EFF", "URL":"https://www.eff.org/", "Favicon":"", "Placement":"toolbar" }, { "Title":"Internet Archive", "URL":"https://www.archive.org/", "Favicon":"", "Placement":"toolbar" }, { "Title":"Invidious", "URL":"https://docs.invidious.io/instances/", "Favicon":"", "Placement":"toolbar" }, { "Title":"Odysee", "URL":"https://odysee.com/", "Favicon":"", "Placement":"toolbar" }, { "Title":"DNSLeakTest", "URL":"https://dnsleaktest.com/", "Favicon":"", "Placement":"toolbar", "Folder":"Utilities" }, { "Title":"BrowserLeaks", "URL":"https://browserleaks.com", "Favicon":"", "Placement":"toolbar", "Folder":"Utilities" }, { "Title":"LibreTranslate", "URL":"https://libretranslate.com/", "Favicon":"", "Placement":"toolbar", "Folder":"Translators" }, { "Title":"DeepL", "URL":"https://www.deepl.com/en/translator", "Favicon":"", "Placement":"toolbar", "Folder":"Translators" }, { "Title":"dict.cc", "URL":"https://www.dict.cc", "Favicon":"", "Placement":"toolbar", "Folder":"Translators" } ], "AppAutoUpdate":false, "BackgroundAppUpdate":false, "CaptivePortal":false, "DefaultDownloadDirectory":"${home}/Downloads", "DisableAppUpdate":true, "DisableDeveloperTools":false, "DisableEncryptedClientHello":false, "DisableFeedbackCommands":true, "DisableFirefoxAccounts":true, "DisableFirefoxScreenshots":false, "DisableFirefoxStudies":true, "DisableForgetButton":true, "DisableFormHistory":true, "DisableMasterPasswordCreation":true, "DisablePasswordReveal":true, "DisablePocket":true, "DisablePrivateBrowsing":true, "DisableProfileImport":false, "DisableProfileRefresh":true, "DisableSetDesktopBackground":true, "DisableSystemAddonUpdate":true, "DisableTelemetry":true, "DisplayBookmarksToolbar":"newtab", "DisplayMenuBar":"default-off", "DontCheckDefaultBrowser":true, "DownloadDirectory":"${home}/Downloads", "ExtensionUpdate":true, "NetworkPrediction":false, "NoDefaultBookmarks":true, "OfferToSaveLogins":false, "OverrideFirstRunPage":"", "OverridePostUpdatePage":"", "PasswordManagerEnabled":false, "PrintingEnabled":false, "PromptForDownloadLocation":false, "RequestedLocales":"en-US", "SearchSuggestEnabled":false, "ShowHomeButton":true, "SkipTermsOfUse":true, "TranslateEnabled":false, "UseSystemPrintDialog":false, "PDFjs":{ "Enabled":false, "EnablePermissions":false }, "PictureInPicture":{ "Enabled":false, "Locked":false }, "FirefoxSuggest":{ "WebSuggestions":false, "SponsoredSuggestions":false, "ImproveSuggest":false, "Locked":false }, "DNSOverHTTPS":{ "Enabled":false, "Locked":true }, "UserMessaging":{ "ExtensionRecommendations":false, "FeatureRecommendations":false, "UrlbarInterventions":false, "SkipOnboarding":false, "MoreFromMozilla":false, "FirefoxLabs": false, "Locked":false }, "Permissions":{ "Location":{ "BlockNewRequests":true }, "Camera":{ "BlockNewRequests":true }, "Microphone":{ "BlockNewRequests":true }, "EncryptedMediaExtensions":{ "Enabled":false, "Locked":true } }, "ExtensionSettings":{ "uBlock0@raymondhill.net":{ "installation_mode":"force_installed", "install_url":"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi" }, "{73a6fe31-595d-460b-a920-fcc0f8843232}":{ "installation_mode":"force_installed", "install_url":"https://addons.mozilla.org/firefox/downloads/latest/noscript/latest.xpi" } }, "3rdparty":{ "Extensions":{ "uBlock0@raymondhill.net":{ "adminSettings":{ "advancedSettings":[ [ "disableWebAssembly", "true" ] ], "advancedUserEnabled":"true", "externalLists":[ "https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_17_TrackParam/filter.txt", "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt" ], "importedLists":[ "https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_17_TrackParam/filter.txt", "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt" ], "dynamicFilteringEnabled":"true", "dynamicFilteringString":"* google-analytics.com * block\n* googletagmanager.com * block\n* * 3p-script block*\n* * 3p-frame block", "popupPanelSections":"31", "hostnameSwitchesString":"no-large-media: behind-the-scene false\nno-csp-reports: * true", "userFilters":"! fonts\n!*$font,third-party\n!*$font,third-party,domain=~example.com|~example2.net\n\n! all stackoverflow annoying consent banners\n##.js-consent-banner\n\n! some annoying banners\n##.banner > [href]\n", "selectedFilterLists":[ "ublock-quick-fixes", "user-filters", "ublock-filters", "ublock-badware", "ublock-privacy", "ublock-abuse", "ublock-unbreak", "adguard-generic", "adguard-mobile", "easylist", "easyprivacy", "urlhaus-1", "adguard-annoyance", "fanboy-annoyance", "ublock-annoyances", "plowe-0", "https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_17_TrackParam/filter.txt", "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt" ] } } } }, "FirefoxHome":{ "Highlights":false, "Pocket":false, "Search":false, "Snippets":false, "SponsoredPocket":false, "SponsoredStories":false, "SponsoredTopSites":false, "Stories":false, "TopSites":false, "Locked":true }, "GenerativeAI": { "Enabled":false, "Chatbot":false, "LinkPreviews":false, "TabGroups":false, "Locked":false }, "HardwareAcceleration":false, "Homepage":{ "URL":"about:blank", "Locked":false, "StartPage":"none" }, "SearchEngines":{ "Add":[ { "Name": "DuckDuckGo Lite", "Alias": "@duckduckgo", "Method": "POST", "URLTemplate": "https://start.duckduckgo.com/lite/?q={searchTerms}", "PostData": "q={searchTerms}", "IconURL": "" }, { "Name":"DuckDuckGo Custom", "Alias":"@custom", "Method": "POST", "URLTemplate":"https://duckduckgo.com/?q={searchTerms}&kl=wt-wt&kp=-2&kg=p&k5=1&kae=d&ks=l&k1=-1", "PostData": "q={searchTerms}", "IconURL":"" }, { "Name":"SearXNG - searx.be", "Alias":"@searx", "Method":"POST", "URLTemplate":"https://searx.be/?q={searchTerms}", "PostData": "q={searchTerms}&category_general=on", "IconURL":"" }, { "Name":"Qwant", "Alias":"@qwant", "Method":"GET", "URLTemplate":"https://www.qwant.com/?q={searchTerms}", "IconURL":"" }, { "Name": "MetaGer", "Alias": "@metager", "Method": "GET", "URLTemplate": "https://metager.org/meta/meta.ger3?eingabe={searchTerms}", "IconURL": "" }, { "Name": "Mojeek", "Alias": "@mojeek", "Method": "GET", "URLTemplate": "https://www.mojeek.com/search?q={searchTerms}", "IconURL": "" }, { "Name":"Startpage", "Alias":"@startpage", "URLTemplate":"https://www.startpage.com/sp/search?query={searchTerms}", "Method":"GET", "IconURL":"" }, { "Name":"Brave Search", "Alias":"@brave", "Method":"GET", "URLTemplate":"https://search.brave.com/search?q={searchTerms}", "IconURL":"" }, { "Name":"LibreTranslate", "Alias":"@libre", "Method":"GET", "URLTemplate":"https://libretranslate.com/?source=de&target=en&q={searchTerms}", "IconURL":"" }, { "Name":"DeepL", "Alias":"@deepl", "Method":"GET", "URLTemplate":"https://deepl.com/en/translator#de/en/{searchTerms}", "IconURL":"" }, { "Name":"dict.cc", "Alias":"@dict", "Method":"GET", "URLTemplate":"https://www.dict.cc/?s={searchTerms}", "IconURL":"" } ], "Remove":[ "Google", "Bing", "Amazon.com", "eBay", "Ecosia", "Twitter", "Wikipedia" ], "Default":"DuckDuckGo" }, "Preferences":{ "dom.disable_window_flip":{ "Value":true, "Status":"user" }, "dom.disable_window_move_resize":{ "Value":true, "Status":"user" }, "extensions.htmlaboutaddons.recommendations.enabled":{ "Value":false, "Status":"user" }, "security.default_personal_cert":{ "Value":"Ask Every Time", "Status":"user" }, "browser.contentblocking.category":{ "Value":"strict", "Status":"user" }, "browser.search.update":{ "Value":false, "Status":"user" }, "accessibility.force_disabled":{ "Value":1, "Status":"user" }, "browser.tabs.warnOnClose":{ "Value":false, "Status":"user" }, "ui.systemUsesDarkTheme":{ "Value":1, "Status":"user" }, "extensions.activeThemeID":{ "Value":"firefox-compact-dark@mozilla.org", "Status":"user" }, "browser.theme.dark-private-windows":{ "Value":true, "Status":"user" }, "layout.css.light-dark.enabled":{ "Value":true, "Status":"user" }, "widget.non-native-theme.scrollbar.dark-themed":{ "Value":true, "Status":"user" }, "browser.in-content.dark-mode":{ "Value":true, "Status":"user" }, "widget.disable-dark-scrollbar":{ "Value":false, "Status":"user" }, "browser.theme.dark-toolbar-theme":{ "Value":true, "Status":"user" }, "browser.theme.toolbar-theme":{ "Value":1, "Status":"user" } } } } EOF } # Step 1: Install and update the Qubes Template echo -e "\n[1/6] Checking for Qubes template..." if ! qvm-check "$BASE_TEMPLATE" 2>/dev/null; then echo "Installing $BASE_TEMPLATE..." sudo qubes-dom0-update qubes-template-$BASE_TEMPLATE fi # Ensure template is shut down before updating qvm-shutdown --wait "$BASE_TEMPLATE" 2>/dev/null || true # Update the template whether it was just installed or already existed echo "Updating $BASE_TEMPLATE..." sudo qubesctl --show-output --skip-dom0 --targets=$BASE_TEMPLATE state.sls update.qubes-vm # Ensure Qubes base template is shut down before create qvm-shutdown --wait "$BASE_TEMPLATE" 2>/dev/null || true # Step 2: Create custom base template echo -e "\n[2/6] Creating custom template by cloning..." qvm-clone "$BASE_TEMPLATE" "$CUSTOM_TEMPLATE" qvm-prefs "$CUSTOM_TEMPLATE" label black # Step 3: Install dependencies echo -e "\n[3/6] Installing dependencies..." qvm-run -p -u root "$CUSTOM_TEMPLATE" "echo 'TERM=xterm' >> /etc/environment" qvm-run -p -u root "$CUSTOM_TEMPLATE" "sed -i 's/^# *\(en_US.UTF-8\)/\1/' /etc/locale.gen" qvm-run -p -u root "$CUSTOM_TEMPLATE" "locale-gen" qvm-run -p -u root "$CUSTOM_TEMPLATE" " apt-get update && apt-get install -y --no-install-recommends \ dialog \ qubes-core-agent-networking \ ca-certificates \ pulseaudio-qubes \ curl \ thunar \ qubes-core-agent-thunar \ xfce4-terminal \ qubes-core-agent-passwordless-root \ $BROWSER_PKG " # Shutdown template to apply changes qvm-shutdown --wait "$CUSTOM_TEMPLATE" # Step 4: Configure Firefox in the custom template echo -e "\n[4/7] Configuring Firefox..." # Download user.js echo "Downloading user.js..." qvm-run -p "$CUSTOM_TEMPLATE" "curl --tlsv1.2 -x http://127.0.0.1:8082/ -L '$USER_JS' -o /tmp/user.js" # Create directories qvm-run -p -u root "$CUSTOM_TEMPLATE" "mkdir -p /usr/lib/firefox-esr/defaults/pref /usr/lib/firefox-esr/distribution" # Create firefox.cfg qvm-run -p -u root "$CUSTOM_TEMPLATE" " echo '// IMPORTANT: Start your code on the 2nd line' > /usr/lib/firefox-esr/firefox.cfg grep -E '^user_pref\(' /tmp/user.js | grep -v '^//' | sed 's/user_pref/pref/' >> /usr/lib/firefox-esr/firefox.cfg " # Create autoconfig.js qvm-run -p -u root "$CUSTOM_TEMPLATE" " echo '// Enable autoconfig' > /usr/lib/firefox-esr/defaults/pref/autoconfig.js echo 'pref(\"general.config.filename\", \"firefox.cfg\");' >> /usr/lib/firefox-esr/defaults/pref/autoconfig.js echo 'pref(\"general.config.obscure_value\", 0);' >> /usr/lib/firefox-esr/defaults/pref/autoconfig.js " # Create policies.json with the full configuration echo "Creating policies.json..." generate_policies_json | qvm-run -p -u root "$CUSTOM_TEMPLATE" "cat > /usr/lib/firefox-esr/distribution/policies.json" # Set permissions qvm-run -p -u root "$CUSTOM_TEMPLATE" " chmod 644 /usr/lib/firefox-esr/firefox.cfg \ /usr/lib/firefox-esr/defaults/pref/autoconfig.js \ /usr/lib/firefox-esr/distribution/policies.json " # Finalize Firefox configuration echo "Firefox configuration completed..." qvm-run -p "$CUSTOM_TEMPLATE" "rm -f /tmp/user.js" qvm-shutdown --wait "$CUSTOM_TEMPLATE" # Step 5: Create DVM template based on custom template echo -e "\n[5/7] Creating DVM template..." qvm-create --template "$CUSTOM_TEMPLATE" --label red "$DISP_TEMPLATE" qvm-prefs "$DISP_TEMPLATE" template_for_dispvms True # Step 6: Create named disposable VM instance echo -e "\n[6/7] Creating named disposable VM instance..." qvm-create --class DispVM --template "$DISP_TEMPLATE" --label red \ --property netvm="$NET_VM" \ --property include_in_backups=False \ "$NAMED_DISP_VM" qvm-features "$NAMED_DISP_VM" appmenus-dispvm 1 # Step 7: Configure menu items echo -e "\n[7/7] Configuring menu items..." qvm-features "$CUSTOM_TEMPLATE" menu-items "debian-xterm.desktop xfce4-terminal.desktop" qvm-features "$NAMED_DISP_VM" menu-items "firefox-esr.desktop thunar.desktop xfce4-terminal.desktop" # Finalize echo -e "\nFinish!"