Go back to topic: Setting up debian-13-minimal templates with bash script
| \r- Nescessary packages will be installed from | \r- Nescessary packages will be installed from MULLVAD repository. |
| | ##setting up autostart for random VPN as service. |
| ##script to install multiple wireguard configuration files and setting up firewall rules ##run as root cat <<- 'EOF' > /opt/bin/wireguard-setup #!/bin/bash #delete old wiregurad connections mapfile -t old_wg < <(nmcli -t -f NAME,TYPE connection show | awk -F: '$2=="wireguard"{print $1}') for name in "${old_wg[@]}"; do [ -n "$name" ] || continue nmcli connection delete "$name" done #choose wireguard conf files you want to import selection="$(GTK_THEME=Adwaita:dark zenity --file-selection \ --title="Choose wireguard conf files you want to import (*.conf)" \ --multiple \ --separator="|" \ --file-filter="*.conf | *.conf" \ --file-filter="... | *" || true)" [ -n "${selection}" ] || exit 0 IFS='|' read -r -a confs <<< "$selection" #nmcli file import for conf in "${confs[@]}"; do nmcli connection import type wireguard file "$conf" done #deactivate autoconnect and discoonect all connections mapfile -t wg_names < <(nmcli -t -f NAME,TYPE connection show | awk -F: '$2=="wireguard"{print $1}') for name in "${wg_names[@]}"; do nmcli connection modify "$name" connection.autoconnect no nmcli connection down "$name" >/dev/null 2>&1 || true done zenity --info --text="Done.\nImported: ${#confs[@]}\nautoconnect deactivated." #setting up custom firewall rules. mkdir /rw/config/qubes-firewall.d read -p "Setting up firewall to provide killswitch. Do not forget to enable qubes-firewall service in qube settings. Input your cutsom DNS for leak protection (check wireguard conf files): " DNS cat <<- EOT > /rw/config/qubes-firewall.d/custom-firewall #!/bin/bash nft add rule qubes custom-forward oifname eth0 counter drop nft add rule ip6 qubes custom-forward oifname eth0 counter drop nft add chain qubes nat { type nat hook prerouting priority dstnat\; } nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS" nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS" EOT chmod +x /rw/config/qubes-firewall.d/custom-firewall EOF chmod +x /opt/bin/wireguard-setup echo -e "\e[36;1mDEBIAN-13-MINIMAL VPN TEMPLATE install successful! Rename template (e.g. d13m-vpn). To set up your VPN qube run the wireguard-importer script as root. For further VPN setup follow this link: | |
| ## | ##removing passwordless root which was installed with qubes-vm-recommended. |
| | apt remove -y qubes-core-agent-passwordless-root |
| sleep | sleep 2 |
| sleep 3 |
| \r- Networking and WIREGUARD packages will be installed | \r- Networking and WIREGUARD packages will be installed. \r- Random VPN autostart will be implemented via systemd service. |
| ##setting up autostart for random VPN as service (import your wireguard configuration files to vpn service qube; make sure autoconnect is off after import; if you do not want this service disable it in template). mkdir /opt/bin cat <<- 'EOF' > /opt/bin/random-vpn #!/bin/sh sleep 3 RANDOM_VPN=$(nmcli connection show | awk '/wireguard/ { print $1 }' | sort -R | head -n 1) sleep 3 nmcli connection up "$RANDOM_VPN" EOF chmod +x /opt/bin/random-vpn cat <<- 'EOF' > /etc/systemd/system/random-vpn.service [Unit] Description=random vpn [Service] ExecStart=/opt/bin/random-vpn [Install] WantedBy=multi-user.target EOF systemctl enable random-vpn systemctl start random-vpn echo | |
| apt install -y basez cups eog ffmpegthumbnailer firefox-esr gnome-disk-utility gnome-keyring gparted gtkhash iftop keepassxc kleopatra libblockdev-crypto3 libgdk-pixbuf2.0-bin libreoffice metadata-cleaner mousepad openssh-client pcscd pciutils psmisc pipewire pipewire-alsa pipewire-audio pipewire-qubes qubes-u2f qubes-vm-recommended vlc system-config-printer thunderbird tumbler tumbler-plugins-extra wakeonlan wireshark wget zbar-tools zenity | apt install -y adb basez cups eog ffmpegthumbnailer firefox-esr gimp git gnome-disk-utility gnome-keyring gnome-screenshot gparted gtkhash gvfs-backends iftop keepassxc kleopatra libblockdev-crypto3 libgdk-pixbuf2.0-bin libreoffice metadata-cleaner mousepad openssh-client pcscd pciutils psmisc pipewire pipewire-alsa pipewire-audio pipewire-qubes qubes-u2f qubes-vm-recommended qtqr vlc simple-scan ssh-askpass-gnome sshfs system-config-printer tigervnc-viewer thunderbird tumbler tumbler-plugins-extra wakeonlan wireshark wget yubikey-personalization zbar-tools zenity |
| R4.3rc1 is out and with it the new debian-13-minimal | R4.3rc1 is out and with it the new debian-13-minimal template. So I tried to adapt the script from my previous guide. Since there are some changes with the new whonix-17 templates of which I am not fully aware yet I excluded them form this guide. |
| This script is written to be used with QubesOS R4.3. Run it as root in debian-13-minimal. You might want to use my **script-injector** (check out the link: [Setting up dom0 after fresh install - onionizing repos and other little things](https://forum.qubes-os.org/t/setting-up-dom0-after-fresh-install-onionizing-repos-and-other-little-things/32671) | This script is written to be used with QubesOS R4.3. Run it as root in debian-13-minimal. You might want to use my **script-injector** (check out the link: [Setting up dom0 after fresh install - onionizing repos and other little things](https://forum.qubes-os.org/t/setting-up-dom0-after-fresh-install-onionizing-repos-and-other-little-things/32671) ; you will find the script-injector at the end of the script). It allows you to inject scripts from dom0 into a template or vm. |