From df13ca77589edf1f724bae960e9ef284c79fc5b5 Mon Sep 17 00:00:00 2001 From: Brian Zalewski Date: Tue, 6 Dec 2022 08:59:10 +0000 Subject: [PATCH] Update .local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_12-update-dom0, .local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_11-update-timezone, .local/share/chezmoi/system/etc/yum.repos.d/qubes-dom0.repo, .local/share/chezmoi/system/etc/qubes/repo-templates/qubes-templates.repo, .local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_13-install-official-templates, .local/share/chezmoi/home/.chezmoidata.yaml, .local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_14-ensure-minimal-vms-passwordless, .local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_15-install-unofficial-templates, .local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_16-update-template-vms, .local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_17-install-mirage-firewall, .local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_18-configure-sys-usb, .local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_19-setup-sys-gui, .local/share/chezmoi/system/etc/grub.d/31-hold-shift, .local/share/chezmoi/system/etc/default/modify_grub, .local/share/chezmoi/system/.chezmoidata.yaml, .local/share/chezmoi/system/.chezmoiexternal.toml, .local/share/chezmoi/system/usr/share/run_onchange_after_setup-share-folder, .local/share/chezmoi/system/boot/efi/EFI/qubes/modify_grubenv, .local/share/chezmoi/system/etc/sddm.conf, .local/share/chezmoi/system/etc/modify_environment --- .local/share/chezmoi/home/.chezmoidata.yaml | 24 +++++ .../run_onchange_before_11-update-timezone | 5 ++ .../qubes/run_onchange_before_12-update-dom0 | 11 +++ ...hange_before_13-install-official-templates | 9 ++ ..._before_14-ensure-minimal-vms-passwordless | 15 ++++ ...nge_before_15-install-unofficial-templates | 21 +++++ ...run_onchange_before_16-update-template-vms | 5 ++ ...onchange_before_17-install-mirage-firewall | 21 +++++ .../run_onchange_before_18-configure-sys-usb | 24 +++++ .../run_onchange_before_19-setup-sys-gui | 26 ++++++ .local/share/chezmoi/system/.chezmoidata.yaml | 4 + .../chezmoi/system/.chezmoiexternal.toml | 89 +++++++++++++++++++ .../system/boot/efi/EFI/qubes/modify_grubenv | 4 + .../chezmoi/system/etc/default/modify_grub | 54 +++++++++++ .../grub.d/{31_hold-shift => 31-hold-shift} | 0 .../chezmoi/system/etc/modify_environment | 9 ++ .../qubes/repo-templates/qubes-templates.repo | 41 +++++++++ .local/share/chezmoi/system/etc/sddm.conf | 0 .../system/etc/yum.repos.d/qubes-dom0.repo | 42 +++++++++ .../run_onchange_after_setup-share-folder | 13 +++ 20 files changed, 417 insertions(+) create mode 100644 .local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_11-update-timezone create mode 100644 .local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_12-update-dom0 create mode 100644 .local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_13-install-official-templates create mode 100644 .local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_14-ensure-minimal-vms-passwordless create mode 100644 .local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_15-install-unofficial-templates create mode 100644 .local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_16-update-template-vms create mode 100644 .local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_17-install-mirage-firewall create mode 100644 .local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_18-configure-sys-usb create mode 100644 .local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_19-setup-sys-gui create mode 100644 .local/share/chezmoi/system/.chezmoidata.yaml create mode 100644 .local/share/chezmoi/system/boot/efi/EFI/qubes/modify_grubenv create mode 100644 .local/share/chezmoi/system/etc/default/modify_grub rename .local/share/chezmoi/system/etc/grub.d/{31_hold-shift => 31-hold-shift} (100%) create mode 100644 .local/share/chezmoi/system/etc/modify_environment create mode 100644 .local/share/chezmoi/system/etc/qubes/repo-templates/qubes-templates.repo create mode 100644 .local/share/chezmoi/system/etc/sddm.conf create mode 100644 .local/share/chezmoi/system/etc/yum.repos.d/qubes-dom0.repo create mode 100644 .local/share/chezmoi/system/usr/share/run_onchange_after_setup-share-folder diff --git a/.local/share/chezmoi/home/.chezmoidata.yaml b/.local/share/chezmoi/home/.chezmoidata.yaml index 4cc40362..77d40e51 100644 --- a/.local/share/chezmoi/home/.chezmoidata.yaml +++ b/.local/share/chezmoi/home/.chezmoidata.yaml @@ -846,3 +846,27 @@ softwarePlugins: - https://github.com/tpope/vim-sensible.git - https://github.com/tpope/vim-surround.git - https://github.com/nanotee/zoxide.vim.git +qubes: + mirageUrl: https://github.com/mirage/qubes-mirage-firewall/releases/latest/download/mirage-firewall.tar.bz2 + promptKeyboards: false + provisionVM: provision + templates: + # - centos-8 + # - centos-8-minimal + # - debian-10 + - debian-11 + - debian-11-minimal + - fedora-32 + - fedora-36 + - fedora-36-minimal + - fedora-36-xfce + - fedora-37 + # - gentoo + # - gentoo-minimal + # - kali + - whonix-gw-16 + - whonix-ws-16 + templatesUnofficial: + - https://qubes.3isec.org/Templates_4.1/qubes-template-archlinux-4.0.6-202204171510.noarch.rpm + - https://qubes.3isec.org/Templates_4.1/qubes-template-debian-12-4.0.6-202208292254.noarch.rpm + - https://qubes.3isec.org/Templates_4.1/qubes-template-jammy-4.0.6-202205012228.noarch.rpm diff --git a/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_11-update-timezone b/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_11-update-timezone new file mode 100644 index 00000000..92edba23 --- /dev/null +++ b/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_11-update-timezone @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +### Update timezone +logg info "Setting timezone to {{ .user.timezone }}" +timedatectl set-timezone {{ .user.timezone }} diff --git a/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_12-update-dom0 b/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_12-update-dom0 new file mode 100644 index 00000000..f592d94e --- /dev/null +++ b/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_12-update-dom0 @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +### Update dom0 +logg info 'Updating dom0 via `qubesctl`' +sudo qubesctl --show-output state.sls update.qubes-dom0 +logg info 'Updating dom0 via `qubes-dom0-update`' +sudo qubes-dom0-update --clean -y + +### Ensure sys-whonix is running +logg info 'Ensuring `sys-whonix` is running' +qvm-start sys-whonix --skip-if-running diff --git a/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_13-install-official-templates b/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_13-install-official-templates new file mode 100644 index 00000000..1278b868 --- /dev/null +++ b/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_13-install-official-templates @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +### Ensure Qubes templates exist and download if they are not present +for TEMPLATE of {{ .qubes.templates | toString | replace "[" "" | replace "]" "" }}; do + if [ ! -f "/var/lib/qubes/vm-templates/$TEMPLATE" ]; then + logg info "Installing $TEMPLATE" + sudo qubes-dom0-update "qubes-template-$TEMPLATE" + fi +done diff --git a/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_14-ensure-minimal-vms-passwordless b/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_14-ensure-minimal-vms-passwordless new file mode 100644 index 00000000..5de9705a --- /dev/null +++ b/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_14-ensure-minimal-vms-passwordless @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +### Ensure Qubes minimal templates have passwordless sudo +for TEMPLATE of {{ .qubes.templates | toString | replace "[" "" | replace "]" "" }}; do + if [[ "$TEMPLATE" == *'-minimal' ]]; then + if [[ "$TEMPLATE" == 'debian'* ]] || [[ "$TEMPLATE" == 'ubuntu'* ]]; then + logg info "Installing qubes-core-agent-passwordless-root on $TEMPLATE" + qvm-run -u root "$TEMPLATE" apt-get update + qvm-run -u root "$TEMPLATE" apt-get install -y qubes-core-agent-passwordless-root + elif [[ "$TEMPLATE" == 'fedora'* ]]; then + logg info "Installing qubes-core-agent-passwordless-root on $TEMPLATE" + qvm-run -u root "$TEMPLATE" dnf install -y qubes-core-agent-passwordless-root + fi + fi +done diff --git a/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_15-install-unofficial-templates b/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_15-install-unofficial-templates new file mode 100644 index 00000000..33bc6c40 --- /dev/null +++ b/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_15-install-unofficial-templates @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +### Ensure unofficial templates are installed +for TEMPLATE_URL of {{ .qubes.templatesUnofficial | toString | replace "[" "" | replace "]" "" }}; do + logg info "Template URL: $TEMPLATE_URL" + TEMPLATE="$(echo "$TEMPLATE_URL" | sed 's/^.*\/\(.*\)-\d+.\d+.\d+-\d+.noarch.rpm$/\1/')" + logg info "Template: $TEMPLATE" + FILE="$(echo "$TEMPLATE_URL" | sed 's/^.*\/\(.*-\d+.\d+.\d+-\d+.noarch.rpm\)$/\1/')" + logg info "File: $FILE" + if [ ! -f "/var/lib/qubes/vm-templates/$TEMPLATE" ]; then + logg info "Downloading the unofficial $TEMPLATE TemplateVM via {{ .qubes.provisionVM }}" + qvm-run --pass-io "{{ .qubes.provisionVM }}" "curl -sSL "$TEMPLATE_URL" -o "/home/Downloads/$FILE"" + logg info "Transferring the image to dom0" + qvm-run --pass-io "{{ .qubes.provisionVM }}" "cat /home/Downloads/$FILE" > "/tmp/$FILE" + logg info "Installing the TemplateVM via dnf" + sudo dnf install --nogpgcheck "/tmp/$FILE" + rm -f "/tmp/$FILE" + else + logg info "$TEMPLATE is already installed" + fi +done diff --git a/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_16-update-template-vms b/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_16-update-template-vms new file mode 100644 index 00000000..5dadc64f --- /dev/null +++ b/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_16-update-template-vms @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +### Update TemplateVMs +logg info 'Updating TemplateVMs via `qubesctl`' +timeout 900 qubesctl --show-output --skip-dom0 --templates state.sls update.qubes-vm diff --git a/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_17-install-mirage-firewall b/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_17-install-mirage-firewall new file mode 100644 index 00000000..4fe87b04 --- /dev/null +++ b/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_17-install-mirage-firewall @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +### Ensure mirage-firewall kernel folder setup +if [ ! -d /var/lib/qubes/vm-kernels/mirage-firewall ]; then + logg info 'Creating the /var/lib/qubes/vm-kernels/mirage-firewall directory' + sudo mkdir -p /var/lib/qubes/vm-kernels/mirage-firewall +fi + +### Install the mirage-firewall kernel +if [ ! -f /var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz ]; then + logg info 'Downloading the pre-compiled mirage firewall kernel in the {{ .qubes.provisionVM }} VM' + qvm-run provision 'curl -sSL {{ .qubes.mirageUrl }} > ~/Downloads/mirage-firewall.tar.gz && tar xjf ~/Downloads/mirage-firewall.tar.gz -C ~/Downloads' + logg info 'Transferring mirage-firewall kernel to dom0 from the {{ .qubes.provisionVM }} VM' + qvm-run --pass-io {{ .qubes.provisionVM }} 'cat /home/user/Downloads/mirage-firewall/vmlinuz' > /var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz +fi + +### Create dummy initrmfs for the mirage-firewall kernel +if [ ! -f/var/lib/qubes/vm-kernels/mirage-firewall/initramfs ]; then + logg info 'Adding dummy initrmfs file to the mirage-firewall kernel folder' + gzip -n9 < /dev/null > /var/lib/qubes/vm-kernels/mirage-firewall/initramfs +fi diff --git a/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_18-configure-sys-usb b/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_18-configure-sys-usb new file mode 100644 index 00000000..16ef09c1 --- /dev/null +++ b/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_18-configure-sys-usb @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +### Enable sys-usb +logg info 'Modifying Salt configuration to be able to enable sys-usb' +qubesctl top.enabled pillar=True || EXIT_CODE=$? +qubesctl state.highstate || EXIT_CODE=$? +logg info 'Ensuring sys-net-as-usbvm is removed' +qubesctl top.disable qvm.sys-net-as-usbvm pillar=True || EXIT_CODE=$? +logg info 'Ensuring sys-usb is setup and that it is properly configured with the keyboard' +qubesctl state.sls qvm.usb-keyboard + +### Configure USB keyboard settings +if [ "{{ .qubes.promptKeyboards }}" = 'true' ]; then + logg info 'Ensure USB keyboards are only allows to connect after prompt is answered' + logg warn 'This can potentially lock you out if all you have are USB keyboards' + echo "sys-usb dom0 ask,user=root,default_target=dom0" | sudo tee /etc/qubes-rpc/policy/qubes.InputKeyboard +else + logg info 'Ensuring USB keyboards can connect without a prompt' + echo "sys-usb dom0 allow,user=root" | sudo tee /etc/qubes-rpc/policy/qubes.InputKeyboard +fi + +### Configure USB mouse settings +logg info 'Ensuring newly connected USB mouse devices are only allowed to connect after a prompt is accepted' +echo "sys-usb dom0 ask,default_target=dom0" | sudo tee /etc/qubes-rpc/policy/qubes.InputMouse diff --git a/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_19-setup-sys-gui b/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_19-setup-sys-gui new file mode 100644 index 00000000..42dd5ef8 --- /dev/null +++ b/.local/share/chezmoi/home/.chezmoiscripts/qubes/run_onchange_before_19-setup-sys-gui @@ -0,0 +1,26 @@ +#!/usr/bin/env bash + +### Enables sys-gui-gpu +enableSysGUIGPU() { + logg info 'Enabling `sys-gui-gpu`' + qubesctl top.enable qvm.sys-gui-gpu + qubesctl top.enable qvm.sys-gui-gpu pillar=True + qubesctl --all state.highstate + qubesctl top.disable qvm.sys-gui-gpu +} + +### Enable appropriate sys-gui +if qvm-pci list | grep 'VGA compatible controller' | grep 'Intel'; else + logg info 'An Intel GPU was detected' + enableSysGUIGPU + logg info 'Attaching Intel GPU PCI devices to sys-gui-gpu' + qubesctl state.sls qvm.sys-gui-gpu-attach-gpu +elif qvm-pci list | grep 'VGA compatible controller' | grep 'NVIDIA'; then + logg info 'An NVIDIA GPU was detected' + enableSysGUIGPU + logg info 'Attaching NVIDIA GPU PCI devices to sys-gui-gpu' + for ID of "$(qvm-pci list | grep 'NVIDIA' | sed 's/^\([^ ]*\).*/\1/')"; do + logg info "Attaching PCI device with ID of $ID" + qvm-pci attach sys-gui-gpu "$ID" --persistent -o permissive=true + done +fi diff --git a/.local/share/chezmoi/system/.chezmoidata.yaml b/.local/share/chezmoi/system/.chezmoidata.yaml new file mode 100644 index 00000000..d10df96d --- /dev/null +++ b/.local/share/chezmoi/system/.chezmoidata.yaml @@ -0,0 +1,4 @@ +--- +grub: + shiftToSeeMenu: false +theme: Betelgeuse diff --git a/.local/share/chezmoi/system/.chezmoiexternal.toml b/.local/share/chezmoi/system/.chezmoiexternal.toml index 4e5fe8b4..d4da66f1 100644 --- a/.local/share/chezmoi/system/.chezmoiexternal.toml +++ b/.local/share/chezmoi/system/.chezmoiexternal.toml @@ -1,9 +1,98 @@ +{{- if not .host.headless }} +## Betelgeuse Theme +["/usr/local/src/betelgeuse"] + type = "git-repo" + url = "https://gitlab.com/megabyte-labs/misc/betelgeuse.git" + clone.args = ["--depth", "1"] + pull.args = ["--ff-only"] + +### Hack Nerd Font Download +{{- $refreshPeriod := "4800h" }} +{{- $fontDir := "" }} +{{- $fontUrlBase := "https://github.com/ryanoasis/nerd-fonts/raw/master/patched-fonts/Hack"}} +{{- if eq .host.distro.family "darwin" }} +{{- $fontDir = "/Library/Fonts" }} +{{- else if eq .host.distro.family "linux" }} +{{- $fontDir = "/usr/local/share/fonts" }} +{{- else if eq .host.distro.family "windows" }} +{{- $fontDir = "TODOWindows/Fonts" }} +{{- end }} +["{{ $fontDir }}/Hack-Regular-Nerd-Font.ttf"] + type = "file" + url = "{{ $fontUrlBase }}/Regular/complete/Hack%20Regular%20Nerd%20Font%20Complete{{if eq .host.distro.family "windows"}}%20Windows%20Compatible{{end}}.ttf" + refreshPeriod = "{{ $refreshPeriod }}" +["{{ $fontDir }}/Hack-Bold-Nerd-Font.ttf"] + type = "file" + url = "{{ $fontUrlBase }}/Bold/complete/Hack%20Bold%20Nerd%20Font%20Complete{{if eq .host.distro.family "windows"}}%20Windows%20Compatible{{end}}.ttf" + refreshPeriod = "{{ $refreshPeriod }}" +["{{ $fontDir }}/Hack-Italic-Nerd-Font.ttf"] + type = "file" + url = "{{ $fontUrlBase }}/Italic/complete/Hack%20Italic%20Nerd%20Font%20Complete{{if eq .host.distro.family "windows"}}%20Windows%20Compatible{{end}}.ttf" + refreshPeriod = "{{ $refreshPeriod }}" +["{{ $fontDir }}/Hack-Bold-Italic-Nerd-Font.ttf"] + type = "file" + url = "{{ $fontUrlBase }}/BoldItalic/complete/Hack%20Bold%20Italic%20Nerd%20Font%20Complete{{if eq .host.distro.family "windows"}}%20Windows%20Compatible{{end}}.ttf" + refreshPeriod = "{{ $refreshPeriod }}" + +### Montserrat Font Download +{{- $fontUrlBase := "https://github.com/JulietaUla/Montserrat/raw/master/fonts/ttf/Montserrat-"}} +{{- $fonts := list "Black" "BlackItalic" "Bold" "BoldItalic" "ExtraBold" "ExtraBoldItalic" "ExtraLight" "ExtraLightItalic" "Italic" "Light" "LightItalic" "Medium" "MediumItalic" "Regular" "SemiBold" "SemiBoldItalic" "Thin" "ThinItalic" }} +{{- range $font := $fonts }} +["{{ $fontDir }}/Montserrat-{{ $font }}.ttf"] + type = "file" + url = "{{ $fontUrlBase }}{{ $font }}.ttf" + refreshPeriod = "{{ $refreshPeriod }}" +{{- end }} + +### ZillaSlab Font Download +{{- $fontUrlBase := "https://github.com/typotheque/zilla-slab/raw/master/fonts_TTF/ZillaSlab"}} +{{- $fonts := list "-Bold" "-BoldItalic" "-Italic" "-Light" "-LightItalic" "-Medium" "-MediumItalic" "-Regular" "-SemiBold" "-SemiBoldItalic" "Highlight-Bold" "Highlight-Regular" }} +{{- range $font := $fonts }} +["{{ $fontDir }}/ZillaSlab{{ $font }}.ttf"] + type = "file" + url = "{{ $fontUrlBase }}{{ $font }}.ttf" + refreshPeriod = "{{ $refreshPeriod }}" +{{- end }} + +### Rofi Fonts +["{{ $fontDir }}/GrapeNuts-Regular.ttf"] + type = "file" + url = "https://github.com/adi1090x/rofi/raw/master/fonts/GrapeNuts-Regular.ttf" + refreshPeriod = "{{ $refreshPeriod }}" +["{{ $fontDir }}/Icomoon-Feather.ttf"] + type = "file" + url = "https://github.com/adi1090x/rofi/raw/master/fonts/Icomoon-Feather.ttf" + refreshPeriod = "{{ $refreshPeriod }}" +["{{ $fontDir }}/Iosevka-Nerd-Font-Complete.ttf"] + type = "file" + url = "https://github.com/adi1090x/rofi/raw/master/fonts/Iosevka-Nerd-Font-Complete.ttf" + refreshPeriod = "{{ $refreshPeriod }}" +["{{ $fontDir }}/JetBrains-Mono-Nerd-Font-Complete.ttf"] + type = "file" + url = "https://github.com/adi1090x/rofi/raw/master/fonts/JetBrains-Mono-Nerd-Font-Complete.ttf" + refreshPeriod = "{{ $refreshPeriod }}" + +### Miscellaneous Fonts Download +["{{ $fontDir }}/FontAwesome.ttf"] + type = "file" + # Source URL + url = "https://github.com/VermiumSifell/dotfiles/raw/main/dot_local/share/fonts/fontawesome.ttf" + refreshPeriod = "{{ $refreshPeriod }}" +["{{ $fontDir }}/Weather-Icons.ttf"] + type = "file" + # Source URL + url = "https://github.com/VermiumSifell/dotfiles/raw/main/dot_local/share/fonts/weathericons.ttf" + refreshPeriod = "{{ $refreshPeriod }}" +{{- end }} + +### NGINX ["/etc/nginx"] type = "git-repo" url = "https://gitlab.com/megabyte-labs/cloud/nginx-configs.git" clone.args = ["--depth", "1"] pull.args = ["--ff-only"] +### Rundeck ["/var/lib/rundeck/libext/ansible-plugin-3.2.2.jar"] type = "file" url = "https://github.com/rundeck-plugins/ansible-plugin/releases/download/v3.2.2/ansible-plugin-3.2.2.jar" diff --git a/.local/share/chezmoi/system/boot/efi/EFI/qubes/modify_grubenv b/.local/share/chezmoi/system/boot/efi/EFI/qubes/modify_grubenv new file mode 100644 index 00000000..0cd6eef4 --- /dev/null +++ b/.local/share/chezmoi/system/boot/efi/EFI/qubes/modify_grubenv @@ -0,0 +1,4 @@ +#!/usr/bin/env bash + +logg info 'Copying /boot/grub2/grubenv to /boot/efi/EFI/qubes/grubenv' +sudo cp -f /boot/grub2/grubenv /boot/efi/EFI/qubes/grubenv diff --git a/.local/share/chezmoi/system/etc/default/modify_grub b/.local/share/chezmoi/system/etc/default/modify_grub new file mode 100644 index 00000000..ca49a204 --- /dev/null +++ b/.local/share/chezmoi/system/etc/default/modify_grub @@ -0,0 +1,54 @@ +#!/usr/bin/env bash + +SCREEN_WIDTH="$(xrandr --current | grep '*' | uniq | awk '{print $1}' | cut -d 'x' -f1)" +SCREEN_HEIGHT="$(xrandr --current | grep '*' | uniq | awk '{print $1}' | cut -d 'x' -f2)" +SCREEN_RATIO="$(awk -v height={{ screen_height.stdout }} -v width={{ screen_width.stdout }} 'BEGIN { print ((height / width) * 1000) }')" +SCREEN_RATIO="${SCREEN_RATIO%.*}" +SCREEN_RATIO_ULTRAWIDE="2100" +GRUB_RESOLUTION_TYPE="1080p" + +### Determine if screen is ultrawide +if (( $(echo "$SCREEN_RATIO $SCREEN_RATIO_ULTRAWIDE" | awk '{print ($1 > $2)}') )); then + GRUB_RESOLUTION_TYPE="ultrawide" +fi + +### Optimize the GRUB resolution +logg info 'Optimizing the GRUB resolution' +if cat /etc/default/grub | grep GRUB_GFX_MODE; then + sudo sed -i '/.*GRUB_GFXMODE.*/GRUB_GFXMODE=auto/' /etc/default/grub +else + echo "GRUB_GFXMODE=auto" | sudo tee -a /etc/default/grub +fi + +### Add GRUB_GFXPAYLOAD_LINUX=keep +logg info 'Ensuring GRUB_GFXPAYLOAD_LINUX is set to keep' +if cat /etc/default/grub | grep GRUB_GFXPAYLOAD_LINUX; then + sudo sed -i '/.*GRUB_GFXPAYLOAD_LINUX.*/GRUB_GFXPAYLOAD_LINUX="keep"/' /etc/default/grub +else + echo 'GRUB_GFXPAYLOAD_LINUX="keep"' | sudo tee -a /etc/default/grub +fi + +### Set GRUB theme +logg info "Setting GRUB2 theme to {{ .theme }}-$GRUB_RESOLUTION_TYPE" +if cat /etc/default/grub | grep GRUB_THEME; then + sudo sed -i '/.*GRUB_THEME.*/GRUB_THEME="{{ .theme }}-'"$GRUB_RESOLUTION_TYPE"'"/' /etc/default/grub +else + echo 'GRUB_THEME="{{ .theme }}-'"$GRUB_RESOLUTION_TYPE"'"' | sudo tee -a /etc/default/grub +fi + +### Set GRUB background +logg info 'Set GRUB background to prevent FOUC' +if cat /etc/default/grub | grep GRUB_BACKGROUND; then + sudo sed -i '/.*GRUB_BACKGROUND.*/GRUB_BACKGROUND="/usr/local/share/grub/{{ .theme }}-blue.png"/' /etc/default/grub +else + echo 'GRUB_BACKGROUND="/usr/local/share/grub/{{ .theme }}-blue.png"' | sudo tee -a /etc/default/grub +fi + +### Configure Shift to see menu feature +logg info 'Configuring Shift to see GRUB2 menu feature' +sed -i '/GRUB_FORCE_HIDDEN_MENU/d' /etc/default/grub +echo "GRUB_FORCE_HIDDEN_MENU={{ .grub.shiftToSeeMenu }}" > /etc/default/grub + +### Remove duplicate lines +logg info 'Ensuring there are no duplicate entries in /etc/default/grub' +cat /etc/default/grub | uniq -u | sudo tee /etc/default/grub diff --git a/.local/share/chezmoi/system/etc/grub.d/31_hold-shift b/.local/share/chezmoi/system/etc/grub.d/31-hold-shift similarity index 100% rename from .local/share/chezmoi/system/etc/grub.d/31_hold-shift rename to .local/share/chezmoi/system/etc/grub.d/31-hold-shift diff --git a/.local/share/chezmoi/system/etc/modify_environment b/.local/share/chezmoi/system/etc/modify_environment new file mode 100644 index 00000000..f4555bbc --- /dev/null +++ b/.local/share/chezmoi/system/etc/modify_environment @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +### Ensure QT_STYLE_OVERRIDE is set in /etc/environment +logg info 'Ensuring QT_STYLE_OVERRIDE is set in /etc/environment' +if cat /etc/environment | grep QT_STYLE_OVERRIDE; then + sudo sed -i '/.*QT_STYLE_OVERRIDE.*/export QT_STYLE_OVERRIDE=kvantum-dark/' /etc/environment +else + echo 'export QT_STYLE_OVERRIDE=kvantum-dark' | sudo tee -a /etc/environment +fi diff --git a/.local/share/chezmoi/system/etc/qubes/repo-templates/qubes-templates.repo b/.local/share/chezmoi/system/etc/qubes/repo-templates/qubes-templates.repo new file mode 100644 index 00000000..cd9a7627 --- /dev/null +++ b/.local/share/chezmoi/system/etc/qubes/repo-templates/qubes-templates.repo @@ -0,0 +1,41 @@ +[qubes-templates-itl] +name = Qubes Templates repository +#baseurl = https://yum.qubes-os.org/r$releasever/templates-itl +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-itl +metalink = https://yum.qubes-os.org/r$releasever/templates-itl/repodata/repomd.xml.metalink +enabled = 1 +fastestmirror = 1 +metadata_expire = 7d +gpgcheck = 1 +gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-primary + +[qubes-templates-itl-testing] +name = Qubes Templates repository +#baseurl = https://yum.qubes-os.org/r$releasever/templates-itl-testing +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-itl-testing +metalink = https://yum.qubes-os.org/r$releasever/templates-itl-testing/repodata/repomd.xml.metalink +enabled = 1 +fastestmirror = 1 +gpgcheck = 1 +gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-primary + +[qubes-templates-community] +name = Qubes Community Templates repository +#baseurl = https://yum.qubes-os.org/r$releasever/templates-community +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-community +metalink = https://yum.qubes-os.org/r$releasever/templates-community/repodata/repomd.xml.metalink +enabled = 1 +fastestmirror = 1 +metadata_expire = 7d +gpgcheck = 1 +gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-templates-community + +[qubes-templates-community-testing] +name = Qubes Community Templates repository +#baseurl = https://yum.qubes-os.org/r$releasever/templates-community-testing +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-community-testing +metalink = https://yum.qubes-os.org/r$releasever/templates-community-testing/repodata/repomd.xml.metalink +enabled = 1 +fastestmirror = 1 +gpgcheck = 1 +gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-templates-community diff --git a/.local/share/chezmoi/system/etc/sddm.conf b/.local/share/chezmoi/system/etc/sddm.conf new file mode 100644 index 00000000..e69de29b diff --git a/.local/share/chezmoi/system/etc/yum.repos.d/qubes-dom0.repo b/.local/share/chezmoi/system/etc/yum.repos.d/qubes-dom0.repo new file mode 100644 index 00000000..3fec2b71 --- /dev/null +++ b/.local/share/chezmoi/system/etc/yum.repos.d/qubes-dom0.repo @@ -0,0 +1,42 @@ +[qubes-dom0-current] +name = Qubes Dom0 Repository (updates) +#baseurl = https://yum.qubes-os.org/r$releasever/current/dom0/fc32 +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current/dom0/fc32 +metalink = https://yum.qubes-os.org/r$releasever/current/dom0/fc32/repodata/repomd.xml.metalink +skip_if_unavailable=False +enabled = 1 +metadata_expire = 6h +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary + +[qubes-dom0-current-testing] +name = Qubes Dom0 Repository (updates-testing) +#baseurl = https://yum.qubes-os.org/r$releasever/current-testing/dom0/fc32 +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current-testing/dom0/fc32 +metalink = https://yum.qubes-os.org/r$releasever/current-testing/dom0/fc32/repodata/repomd.xml.metalink +skip_if_unavailable=False +enabled = 1 +metadata_expire = 6h +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary + +[qubes-dom0-security-testing] +name = Qubes Dom0 Repository (security-testing) +#baseurl = https://yum.qubes-os.org/r$releasever/security-testing/dom0/fc32 +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/security-testing/dom0/fc32 +metalink = https://yum.qubes-os.org/r$releasever/security-testing/dom0/fc32/repodata/repomd.xml.metalink +skip_if_unavailable=False +enabled = 1 +metadata_expire = 6h +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary + +[qubes-dom0-unstable] +name = Qubes Dom0 Repository (unstable) +#baseurl = https://yum.qubes-os.org/r$releasever/unstable/dom0/fc32 +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/unstable/dom0/fc32 +metalink = https://yum.qubes-os.org/r$releasever/unstable/dom0/fc32/repodata/repomd.xml.metalink +skip_if_unavailable=False +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-unstable diff --git a/.local/share/chezmoi/system/usr/share/run_onchange_after_setup-share-folder b/.local/share/chezmoi/system/usr/share/run_onchange_after_setup-share-folder new file mode 100644 index 00000000..00442686 --- /dev/null +++ b/.local/share/chezmoi/system/usr/share/run_onchange_after_setup-share-folder @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +logg info 'Ensure /usr/local/share/grub/themes is a directory' +sudo mkdir -p /usr/local/share/grub/themes + +logg info 'Copy GRUB theme to /usr/local/share/grub/themes' +cp -rf /usr/local/src/{{ .theme }}/share/grub/themes/ /usr/local/share/grub/themes + +logg info 'Ensure /boot/grub2/themes is a directory' +sudo mkdir -p /boot/grub2/themes + +logg info 'Copy GRUB themes to /boot/grub2/themes' +sudo cp -rf /usr/local/share/grub/themes/ /boot/grub2/themes \ No newline at end of file