Replace sudo with run0

debian-gnome/debian-gnome.sh

@@ -17,37 +17,37 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 
 # Compliance
-sudo systemctl mask debug-shell.service
+run0 systemctl mask debug-shell.service
 
 # Setting umask to 077
 # Kicksecure defaults to zsh - I need to set it for zsh later.
 umask 077
-sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
-sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
-echo 'umask 077' | sudo tee -a /etc/bash.bashrc
+run0 sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
+run0 sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
+echo 'umask 077' | run0 tee -a /etc/bash.bashrc
 
 # Make home directory private
-sudo chmod 700 /home/*
+run0 chmod 700 /home/*
 
 # Harden SSH
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/ssh/ssh_config.d/10-custom.conf /etc/ssh/ssh_config.d/10-custom.conf
-sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
+run0 chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
 
 # Disable coredump
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/security/limits.d/30-disable-coredump.conf /etc/security/limits.d/30-disable-coredump.conf
 
 # Setup dconf
 umask 022
-sudo mkdir -p /etc/dconf/db/local.d/locks
+run0 mkdir -p /etc/dconf/db/local.d/locks
 
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/locks/automount-disable /etc/dconf/db/local.d/locks/automount-disable
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/locks/privacy /etc/dconf/db/local.d/locks/privacy
@@ -56,88 +56,88 @@ download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/et
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/prefer-dark /etc/dconf/db/local.d/prefer-dark
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/privacy /etc/dconf/db/local.d/privacy
 
-sudo dconf update
+run0 dconf update
 umask 077
 
 # Fix portals
-sudo mkdir -p /etc/xdg-desktop-portal
+run0 mkdir -p /etc/xdg-desktop-portal
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/xdg-desktop-portal/portals.conf /etc/xdg-desktop-portal/portals.conf
 
 # Avoid phased updates
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/apt/apt.conf.d/99sane-upgrades /etc/apt/apt.conf.d/99sane-upgrades
-sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
+run0 chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
 
 
-sudo apt-get update -y
-sudo apt-get full-upgrade -y
-sudo apt-get autoremove -y
+run0 apt-get update -y
+run0 apt-get full-upgrade -y
+run0 apt-get autoremove -y
 
 # Debloat
 
 # Remove unnecessary stuff from the Qubes template
-sudo apt-get purge -y gnome-software gnome-system-monitor thunderbird keepassxc
+run0 apt-get purge -y gnome-software gnome-system-monitor thunderbird keepassxc
 
 # Remove Network + hardware tools packages
-sudo apt-get purge -y avahi* cups* '*nfs*' rygel '*smtp*' system-config-printer* '*telnet*'
+run0 apt-get purge -y avahi* cups* '*nfs*' rygel '*smtp*' system-config-printer* '*telnet*'
 
 # Remove support for some languages and spelling
-sudo apt-get purge -y '*speech*'
+run0 apt-get purge -y '*speech*'
 
 # Remove codec + image + printers
-sudo apt-get purge -y ImageMagick* sane* simple-scan
+run0 apt-get purge -y ImageMagick* sane* simple-scan
 
 # Remove Active Directory + Sysadmin + reporting tools
-sudo apt-get purge -y realmd
+run0 apt-get purge -y realmd
 
 # Remove unnecessary network tools
-sudo apt-get purge -y ifupdown mobile-broadband-provider-info modemmanager
+run0 apt-get purge -y ifupdown mobile-broadband-provider-info modemmanager
 
 # Remove Gnome apps
-sudo apt-get purge -y baobab chrome-gnome-shell eog gnome-calculator gnome-calendar gnome-characters gnome-clocks gnome-color-manager \
+run0 apt-get purge -y baobab chrome-gnome-shell eog gnome-calculator gnome-calendar gnome-characters gnome-clocks gnome-color-manager \
     gnome-contacts gnome-disk-utility gnome-font-viewer gnome-logs gnome-maps gnome-music gnome-remote-desktop gnome-shell-extensions \
     gnome-sound-recorder gnome-tweaks gnome-user-share gnome-weather totem
 
 # Remove apps
-sudo apt-get purge -y cheese evince evolution file-roller* firefox* libreoffice* seahorse shotwell synaptic* rhythmbox yelp
+run0 apt-get purge -y cheese evince evolution file-roller* firefox* libreoffice* seahorse shotwell synaptic* rhythmbox yelp
 
 # Remove other packages
-sudo apt-get purge -y cron lvm2 lynx '*vmware*' xserver-xephyr xsettingsd
+run0 apt-get purge -y cron lvm2 lynx '*vmware*' xserver-xephyr xsettingsd sudo su runuser
 
-sudo apt-get autoremove -y
-sudo apt-get autoclean
+run0 apt-get autoremove -y
+run0 apt-get autoclean
 
 # Add console group
-sudo groupadd --system console
-sudo usermod -aG console user
+run0 groupadd --system console
+run0 usermod -aG console user
 
 # Add extrepo
-sudo apt-get install -y extrepo
+run0 apt-get install -y extrepo
 
 # Adding KickSecure's repo
-sudo http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 extrepo enable kicksecure
+run0 http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 extrepo enable kicksecure
 
 # Distribution morphing
-sudo apt-get update
-sudo apt-get full-upgrade -y
-sudo apt-get install --no-install-recommends kicksecure-qubes-cli -y
-sudo apt-get autoremove -y
-sudo repository-dist --enable --repository stable-proposed-updates
-sudo extrepo disable kicksecure
-sudo mv /etc/apt/sources.list ~/
-sudo touch /etc/apt/sources.list
+run0 apt-get update
+run0 apt-get full-upgrade -y
+run0 apt-get install --no-install-recommends kicksecure-qubes-cli -y
+run0 apt-get autoremove -y
+run0 repository-dist --enable --repository stable-proposed-updates
+run0 extrepo disable kicksecure
+run0 mv /etc/apt/sources.list ~/
+run0 touch /etc/apt/sources.list
 
 
 # Restrict /proc and access
-sudo systemctl enable --now proc-hidepid.service
+run0 systemctl enable --now proc-hidepid.service
 
 # Reduce kernel information leaks
 # Will break a lot of applications. The apps I use on KickSecure work fine with it so I am enabling it.
-sudo systemctl enable --now hide-hardware-info.service
+run0 systemctl enable --now hide-hardware-info.service
 
 # Install packages
-sudo apt-get update
-sudo apt-get install --no-install-recommends gnome-console flatpak qubes-ctap qubes-gpg-split -y
+run0 apt-get update
+run0 apt-get install --no-install-recommends gnome-console flatpak qubes-ctap qubes-gpg-split -y
 
 # Flatpak update service
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.service /etc/systemd/user/update-user-flatpaks.service
-download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer /etc/systemd/user/update-user-flatpaks.timer
+download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer /etc/systemd/user/update-user-flatpaks.timer

debian-gnome/lokinet.sh

@@ -17,28 +17,28 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 umask 022
 
-sudo mkdir -p /etc/qubes-bind-dirs.d
-echo 'binds+=( '\'''/etc/loki''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf 
+run0 mkdir -p /etc/qubes-bind-dirs.d
+echo 'binds+=( '\'''/etc/loki''\'' )' | run0 tee /etc/qubes-bind-dirs.d/50_user.conf 
 
 # Add repositories
 download https://deb.oxen.io/pub.gpg /usr/share/keyrings/oxen.gpg
-echo "deb [signed-by=/usr/share/keyrings/oxen.gpg] https://deb.oxen.io $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/oxen.list
+echo "deb [signed-by=/usr/share/keyrings/oxen.gpg] https://deb.oxen.io $(lsb_release -sc) main" | run0 tee /etc/apt/sources.list.d/oxen.list
 
 download https://repository.mullvad.net/deb/mullvad-keyring.asc /usr/share/keyrings/mullvad-keyring.asc
 echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/stable $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/mullvad.list
 
 # Install packages
-sudo apt-get update
-sudo apt-get install -y lokinet mullvad-browser resolvconf
+run0 apt-get update
+run0 apt-get install -y lokinet mullvad-browser resolvconf
 
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/lokinet-dns-fix.service /etc/systemd/system/lokinet-dns-fix.service
-sudo systemctl enable --now lokinet-dns-fix
+run0 systemctl enable --now lokinet-dns-fix

debian-gnome/sys-usb.sh

@@ -17,15 +17,15 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 curl -s --proxy http://127.0.0.1:8082 -L https://github.com/trustcrypto/OnlyKey-App/releases/download/v5.5.0/OnlyKey_5.5.0_amd64.deb -O
 
-sudo apt-get install gnome-disk-utility qubes-video-companion ./OnlyKey_5.5.0_amd64.deb
+run0 apt-get install gnome-disk-utility qubes-video-companion ./OnlyKey_5.5.0_amd64.deb
 
-sudo systemctl disable --now hide-hardware-info.service
+run0 systemctl disable --now hide-hardware-info.service

dom0.sh

@@ -17,32 +17,32 @@
 set -eu -o pipefail
 
 # Enabling discard and fstrim
-sudo sed -i 's/issue_discards = 0/issue_discards = 1/' /etc/lvm/lvm.conf
-sudo systemctl enable --now fstrim.timer
+run0 sed -i 's/issue_discards = 0/issue_discards = 1/' /etc/lvm/lvm.conf
+run0 systemctl enable --now fstrim.timer
 
-sudo qubes-dom0-update anti-evil-maid qubes-ctap-dom0 qubes-video-companion-dom0 qt5-qtstyleplugins
+run0 qubes-dom0-update anti-evil-maid qubes-ctap-dom0 qubes-video-companion-dom0 qt5-qtstyleplugins
 
 # Configure PCRs
-sudo sed -i 's/ --pcr 19//' /etc/anti-evil-maid.conf
-sudo sed -i 's/="/="--pcr 0 --pcr 1 --pcr 2 --pcr 3 --pcr 4 /' /etc/anti-evil-maid.conf
+run0 sed -i 's/ --pcr 19//' /etc/anti-evil-maid.conf
+run0 sed -i 's/="/="--pcr 0 --pcr 1 --pcr 2 --pcr 3 --pcr 4 /' /etc/anti-evil-maid.conf
 
-# Configure sudo prompt for domUs
-echo "/usr/bin/echo '1'" | sudo tee /etc/qubes-rpc/qubes.VMAuth
-echo "@anyvm dom0 ask,default_target=dom0" | sudo tee /etc/qubes-rpc/policy/qubes.VMAuth
-sudo chmod +x /etc/qubes-rpc/qubes.VMAuth
+# Configure run0 prompt for domUs
+echo "/usr/bin/echo '1'" | run0 tee /etc/qubes-rpc/qubes.VMAuth
+echo "@anyvm dom0 ask,default_target=dom0" | run0 tee /etc/qubes-rpc/policy/qubes.VMAuth
+run0 chmod +x /etc/qubes-rpc/qubes.VMAuth
 
 # Theming
 
-echo 'QT_QPA_PLATFORMTHEME=gtk2' | sudo tee -a /etc/environment
+echo 'QT_QPA_PLATFORMTHEME=gtk2' | run0 tee -a /etc/environment
 
 # Add extra gtk theming - this is probably not necessary, but why not
 
-sudo mkdir -p /etc/gtk-3.0
+run0 mkdir -p /etc/gtk-3.0
 echo '[Settings]
 gtk-theme-name = Arc-Dark
-gtk-application-prefer-dark-theme = true' | sudo tee /etc/gtk-3.0/settings.ini
+gtk-application-prefer-dark-theme = true' | run0 tee /etc/gtk-3.0/settings.ini
 
-sudo mkdir -p /etc/gtk-4.0
+run0 mkdir -p /etc/gtk-4.0
 echo '[Settings]
 gtk-theme-name = Arc-Dark
-gtk-application-prefer-dark-theme = true' | sudo tee /etc/gtk-4.0/settings.ini
+gtk-application-prefer-dark-theme = true' | run0 tee /etc/gtk-4.0/settings.ini

fedora-gnome/development.sh

@@ -19,39 +19,39 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 echo '[code]
 name=Visual Studio Code
 baseurl=https://packages.microsoft.com/yumrepos/vscode/
 enabled=1
 gpgcheck=1
-gpgkey=https://packages.microsoft.com/keys/microsoft.asc' | sudo tee /etc/yum.repos.d/vscode.repo
+gpgkey=https://packages.microsoft.com/keys/microsoft.asc' | run0 tee /etc/yum.repos.d/vscode.repo
 
 echo '[shiftkey-packages]
 name=GitHub Desktop
 baseurl=https://rpm.packages.shiftkey.dev/rpm/
 enabled=1
 gpgcheck=1
 repo_gpgcheck=1
-gpgkey=https://rpm.packages.shiftkey.dev/gpg.key' | sudo tee /etc/yum.repos.d/shiftkey-packages.repo
+gpgkey=https://rpm.packages.shiftkey.dev/gpg.key' | run0 tee /etc/yum.repos.d/shiftkey-packages.repo
 
-sudo dnf config-manager addrepo --from-repofile=https://download.docker.com/linux/fedora/docker-ce.repo
+run0 dnf config-manager addrepo --from-repofile=https://download.docker.com/linux/fedora/docker-ce.repo
 
-sudo dnf install -y butane code docker-ce docker-buildx-plugin docker-compose-plugin git github-desktop
+run0 dnf install -y butane code docker-ce docker-buildx-plugin docker-compose-plugin git github-desktop
 
-sudo systemctl enable --now docker
-sudo usermod -aG docker user
+run0 systemctl enable --now docker
+run0 usermod -aG docker user
 
 # Change the GPG Domain name appropriately
-echo 'QUBES_GPG_DOMAIN=vault' | sudo tee -a /etc/environment
+echo 'QUBES_GPG_DOMAIN=vault' | run0 tee -a /etc/environment
 
 umask 022
 
-sudo mkdir -p /etc/qubes-bind-dirs.d
-echo 'binds+=( '\'''/var/lib/docker''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf 
+run0 mkdir -p /etc/qubes-bind-dirs.d
+echo 'binds+=( '\'''/var/lib/docker''\'' )' | run0 tee /etc/qubes-bind-dirs.d/50_user.conf