Merge e34b81f98c into fd68ee2f01

debian-gnome/debian-gnome.sh

@@ -17,37 +17,37 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 
 # Compliance
-sudo systemctl mask debug-shell.service
+run0 systemctl mask debug-shell.service
 
 # Setting umask to 077
 # Kicksecure defaults to zsh - I need to set it for zsh later.
 umask 077
-sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
-sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
-echo 'umask 077' | sudo tee -a /etc/bash.bashrc
+run0 sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
+run0 sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
+echo 'umask 077' | run0 tee -a /etc/bash.bashrc
 
 # Make home directory private
-sudo chmod 700 /home/*
+run0 chmod 700 /home/*
 
 # Harden SSH
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/ssh/ssh_config.d/10-custom.conf /etc/ssh/ssh_config.d/10-custom.conf
-sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
+run0 chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
 
 # Disable coredump
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/security/limits.d/30-disable-coredump.conf /etc/security/limits.d/30-disable-coredump.conf
 
 # Setup dconf
 umask 022
-sudo mkdir -p /etc/dconf/db/local.d/locks
+run0 mkdir -p /etc/dconf/db/local.d/locks
 
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/locks/automount-disable /etc/dconf/db/local.d/locks/automount-disable
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/locks/privacy /etc/dconf/db/local.d/locks/privacy
@@ -56,88 +56,88 @@ download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/et
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/prefer-dark /etc/dconf/db/local.d/prefer-dark
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/privacy /etc/dconf/db/local.d/privacy
 
-sudo dconf update
+run0 dconf update
 umask 077
 
 # Fix portals
-sudo mkdir -p /etc/xdg-desktop-portal
+run0 mkdir -p /etc/xdg-desktop-portal
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/xdg-desktop-portal/portals.conf /etc/xdg-desktop-portal/portals.conf
 
 # Avoid phased updates
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/apt/apt.conf.d/99sane-upgrades /etc/apt/apt.conf.d/99sane-upgrades
-sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
+run0 chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
 
 
-sudo apt-get update -y
-sudo apt-get full-upgrade -y
-sudo apt-get autoremove -y
+run0 apt-get update -y
+run0 apt-get full-upgrade -y
+run0 apt-get autoremove -y
 
 # Debloat
 
 # Remove unnecessary stuff from the Qubes template
-sudo apt-get purge -y gnome-software gnome-system-monitor thunderbird keepassxc
+run0 apt-get purge -y gnome-software gnome-system-monitor thunderbird keepassxc
 
 # Remove Network + hardware tools packages
-sudo apt-get purge -y avahi* cups* '*nfs*' rygel '*smtp*' system-config-printer* '*telnet*'
+run0 apt-get purge -y avahi* cups* '*nfs*' rygel '*smtp*' system-config-printer* '*telnet*'
 
 # Remove support for some languages and spelling
-sudo apt-get purge -y '*speech*'
+run0 apt-get purge -y '*speech*'
 
 # Remove codec + image + printers
-sudo apt-get purge -y ImageMagick* sane* simple-scan
+run0 apt-get purge -y ImageMagick* sane* simple-scan
 
 # Remove Active Directory + Sysadmin + reporting tools
-sudo apt-get purge -y realmd
+run0 apt-get purge -y realmd
 
 # Remove unnecessary network tools
-sudo apt-get purge -y ifupdown mobile-broadband-provider-info modemmanager
+run0 apt-get purge -y ifupdown mobile-broadband-provider-info modemmanager
 
 # Remove Gnome apps
-sudo apt-get purge -y baobab chrome-gnome-shell eog gnome-calculator gnome-calendar gnome-characters gnome-clocks gnome-color-manager \
+run0 apt-get purge -y baobab chrome-gnome-shell eog gnome-calculator gnome-calendar gnome-characters gnome-clocks gnome-color-manager \
     gnome-contacts gnome-disk-utility gnome-font-viewer gnome-logs gnome-maps gnome-music gnome-remote-desktop gnome-shell-extensions \
     gnome-sound-recorder gnome-tweaks gnome-user-share gnome-weather totem
 
 # Remove apps
-sudo apt-get purge -y cheese evince evolution file-roller* firefox* libreoffice* seahorse shotwell synaptic* rhythmbox yelp
+run0 apt-get purge -y cheese evince evolution file-roller* firefox* libreoffice* seahorse shotwell synaptic* rhythmbox yelp
 
 # Remove other packages
-sudo apt-get purge -y cron lvm2 lynx '*vmware*' xserver-xephyr xsettingsd
+run0 apt-get purge -y cron lvm2 lynx '*vmware*' xserver-xephyr xsettingsd sudo su runuser
 
-sudo apt-get autoremove -y
-sudo apt-get autoclean
+run0 apt-get autoremove -y
+run0 apt-get autoclean
 
 # Add console group
-sudo groupadd --system console
-sudo usermod -aG console user
+run0 groupadd --system console
+run0 usermod -aG console user
 
 # Add extrepo
-sudo apt-get install -y extrepo
+run0 apt-get install -y extrepo
 
 # Adding KickSecure's repo
-sudo http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 extrepo enable kicksecure
+run0 http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 extrepo enable kicksecure
 
 # Distribution morphing
-sudo apt-get update
-sudo apt-get full-upgrade -y
-sudo apt-get install --no-install-recommends kicksecure-qubes-cli -y
-sudo apt-get autoremove -y
-sudo repository-dist --enable --repository stable-proposed-updates
-sudo extrepo disable kicksecure
-sudo mv /etc/apt/sources.list ~/
-sudo touch /etc/apt/sources.list
+run0 apt-get update
+run0 apt-get full-upgrade -y
+run0 apt-get install --no-install-recommends kicksecure-qubes-cli -y
+run0 apt-get autoremove -y
+run0 repository-dist --enable --repository stable-proposed-updates
+run0 extrepo disable kicksecure
+run0 mv /etc/apt/sources.list ~/
+run0 touch /etc/apt/sources.list
 
 
 # Restrict /proc and access
-sudo systemctl enable --now proc-hidepid.service
+run0 systemctl enable --now proc-hidepid.service
 
 # Reduce kernel information leaks
 # Will break a lot of applications. The apps I use on KickSecure work fine with it so I am enabling it.
-sudo systemctl enable --now hide-hardware-info.service
+run0 systemctl enable --now hide-hardware-info.service
 
 # Install packages
-sudo apt-get update
-sudo apt-get install --no-install-recommends gnome-console flatpak qubes-ctap qubes-gpg-split -y
+run0 apt-get update
+run0 apt-get install --no-install-recommends gnome-console flatpak qubes-ctap qubes-gpg-split -y
 
 # Flatpak update service
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.service /etc/systemd/user/update-user-flatpaks.service
-download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer /etc/systemd/user/update-user-flatpaks.timer
+download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer /etc/systemd/user/update-user-flatpaks.timer

debian-gnome/lokinet.sh

@@ -17,28 +17,28 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 umask 022
 
-sudo mkdir -p /etc/qubes-bind-dirs.d
-echo 'binds+=( '\'''/etc/loki''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf 
+run0 mkdir -p /etc/qubes-bind-dirs.d
+echo 'binds+=( '\'''/etc/loki''\'' )' | run0 tee /etc/qubes-bind-dirs.d/50_user.conf 
 
 # Add repositories
 download https://deb.oxen.io/pub.gpg /usr/share/keyrings/oxen.gpg
-echo "deb [signed-by=/usr/share/keyrings/oxen.gpg] https://deb.oxen.io $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/oxen.list
+echo "deb [signed-by=/usr/share/keyrings/oxen.gpg] https://deb.oxen.io $(lsb_release -sc) main" | run0 tee /etc/apt/sources.list.d/oxen.list
 
 download https://repository.mullvad.net/deb/mullvad-keyring.asc /usr/share/keyrings/mullvad-keyring.asc
 echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/stable $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/mullvad.list
 
 # Install packages
-sudo apt-get update
-sudo apt-get install -y lokinet mullvad-browser resolvconf
+run0 apt-get update
+run0 apt-get install -y lokinet mullvad-browser resolvconf
 
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/lokinet-dns-fix.service /etc/systemd/system/lokinet-dns-fix.service
-sudo systemctl enable --now lokinet-dns-fix
+run0 systemctl enable --now lokinet-dns-fix

debian-gnome/sys-usb.sh

@@ -17,15 +17,15 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 curl -s --proxy http://127.0.0.1:8082 -L https://github.com/trustcrypto/OnlyKey-App/releases/download/v5.5.0/OnlyKey_5.5.0_amd64.deb -O
 
-sudo apt-get install gnome-disk-utility qubes-video-companion ./OnlyKey_5.5.0_amd64.deb
+run0 apt-get install gnome-disk-utility qubes-video-companion ./OnlyKey_5.5.0_amd64.deb
 
-sudo systemctl disable --now hide-hardware-info.service
+run0 systemctl disable --now hide-hardware-info.service

dom0.sh

@@ -17,32 +17,32 @@
 set -eu -o pipefail
 
 # Enabling discard and fstrim
-sudo sed -i 's/issue_discards = 0/issue_discards = 1/' /etc/lvm/lvm.conf
-sudo systemctl enable --now fstrim.timer
+run0 sed -i 's/issue_discards = 0/issue_discards = 1/' /etc/lvm/lvm.conf
+run0 systemctl enable --now fstrim.timer
 
-sudo qubes-dom0-update anti-evil-maid qubes-ctap-dom0 qubes-video-companion-dom0 qt5-qtstyleplugins
+run0 qubes-dom0-update anti-evil-maid qubes-ctap-dom0 qubes-video-companion-dom0 qt5-qtstyleplugins
 
 # Configure PCRs
-sudo sed -i 's/ --pcr 19//' /etc/anti-evil-maid.conf
-sudo sed -i 's/="/="--pcr 0 --pcr 1 --pcr 2 --pcr 3 --pcr 4 /' /etc/anti-evil-maid.conf
+run0 sed -i 's/ --pcr 19//' /etc/anti-evil-maid.conf
+run0 sed -i 's/="/="--pcr 0 --pcr 1 --pcr 2 --pcr 3 --pcr 4 /' /etc/anti-evil-maid.conf
 
-# Configure sudo prompt for domUs
-echo "/usr/bin/echo '1'" | sudo tee /etc/qubes-rpc/qubes.VMAuth
-echo "@anyvm dom0 ask,default_target=dom0" | sudo tee /etc/qubes-rpc/policy/qubes.VMAuth
-sudo chmod +x /etc/qubes-rpc/qubes.VMAuth
+# Configure run0 prompt for domUs
+echo "/usr/bin/echo '1'" | run0 tee /etc/qubes-rpc/qubes.VMAuth
+echo "@anyvm dom0 ask,default_target=dom0" | run0 tee /etc/qubes-rpc/policy/qubes.VMAuth
+run0 chmod +x /etc/qubes-rpc/qubes.VMAuth
 
 # Theming
 
-echo 'QT_QPA_PLATFORMTHEME=gtk2' | sudo tee -a /etc/environment
+echo 'QT_QPA_PLATFORMTHEME=gtk2' | run0 tee -a /etc/environment
 
 # Add extra gtk theming - this is probably not necessary, but why not
 
-sudo mkdir -p /etc/gtk-3.0
+run0 mkdir -p /etc/gtk-3.0
 echo '[Settings]
 gtk-theme-name = Arc-Dark
-gtk-application-prefer-dark-theme = true' | sudo tee /etc/gtk-3.0/settings.ini
+gtk-application-prefer-dark-theme = true' | run0 tee /etc/gtk-3.0/settings.ini
 
-sudo mkdir -p /etc/gtk-4.0
+run0 mkdir -p /etc/gtk-4.0
 echo '[Settings]
 gtk-theme-name = Arc-Dark
-gtk-application-prefer-dark-theme = true' | sudo tee /etc/gtk-4.0/settings.ini
+gtk-application-prefer-dark-theme = true' | run0 tee /etc/gtk-4.0/settings.ini

fedora-gnome/development.sh

@@ -19,11 +19,11 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 echo '[code]
@@ -31,7 +31,7 @@ name=Visual Studio Code
 baseurl=https://packages.microsoft.com/yumrepos/vscode/
 enabled=1
 gpgcheck=1
-gpgkey=https://packages.microsoft.com/keys/microsoft.asc' | sudo tee /etc/yum.repos.d/vscode.repo
+gpgkey=https://packages.microsoft.com/keys/microsoft.asc' | run0 tee /etc/yum.repos.d/vscode.repo
 
 echo '[shiftkey-packages]
 name=GitHub Desktop
@@ -39,19 +39,19 @@ baseurl=https://rpm.packages.shiftkey.dev/rpm/
 enabled=1
 gpgcheck=1
 repo_gpgcheck=1
-gpgkey=https://rpm.packages.shiftkey.dev/gpg.key' | sudo tee /etc/yum.repos.d/shiftkey-packages.repo
+gpgkey=https://rpm.packages.shiftkey.dev/gpg.key' | run0 tee /etc/yum.repos.d/shiftkey-packages.repo
 
-sudo dnf config-manager addrepo --from-repofile=https://download.docker.com/linux/fedora/docker-ce.repo
+run0 dnf config-manager addrepo --from-repofile=https://download.docker.com/linux/fedora/docker-ce.repo
 
-sudo dnf install -y butane code docker-ce docker-buildx-plugin docker-compose-plugin git github-desktop
+run0 dnf install -y butane code docker-ce docker-buildx-plugin docker-compose-plugin git github-desktop
 
-sudo systemctl enable --now docker
-sudo usermod -aG docker user
+run0 systemctl enable --now docker
+run0 usermod -aG docker user
 
 # Change the GPG Domain name appropriately
-echo 'QUBES_GPG_DOMAIN=vault' | sudo tee -a /etc/environment
+echo 'QUBES_GPG_DOMAIN=vault' | run0 tee -a /etc/environment
 
 umask 022
 
-sudo mkdir -p /etc/qubes-bind-dirs.d
-echo 'binds+=( '\'''/var/lib/docker''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf 
+run0 mkdir -p /etc/qubes-bind-dirs.d
+echo 'binds+=( '\'''/var/lib/docker''\'' )' | run0 tee /etc/qubes-bind-dirs.d/50_user.conf 

fedora-gnome/fedora-gnome.sh

@@ -17,28 +17,28 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 # Compliance
-sudo systemctl mask debug-shell.service
-sudo systemctl mask kdump.service
+run0 systemctl mask debug-shell.service
+run0 systemctl mask kdump.service
 
 # Setting umask to 077
-sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
-sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
-sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
+run0 sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
+run0 sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
+run0 sed -i 's/umask 022/umask 077/g' /etc/bashrc
 
 # Make home directory private
-sudo chmod 700 /home/*
+run0 chmod 700 /home/*
 
 # Harden SSH
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/ssh/ssh_config.d/10-custom.conf /etc/ssh/ssh_config.d/10-custom.conf
-sudo sed -i 's/KexAlgorithms curve25519-sha256/KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256/' /etc/crypto-policies/back-ends/openssh.config
+run0 sed -i 's/KexAlgorithms curve25519-sha256/KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256/' /etc/crypto-policies/back-ends/openssh.config
 
 # Security kernel settings
 download https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/usr/lib/modprobe.d/secureblue-framebuffer.conf /etc/modprobe.d/framebuffer-blacklist.conf
@@ -46,15 +46,15 @@ download https://raw.githubusercontent.com/secureblue/secureblue/live/files/syst
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/sysctl.d/99-workstation.conf /etc/sysctl.d/99-workstation.conf
 # Dracut doesn't seem to work - need to investigate
 # dracut -f
-sudo sysctl -p
+run0 sysctl -p
 
 # Disable coredump
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/security/limits.d/30-disable-coredump.conf /etc/security/limits.d/30-disable-coredump.conf
-sudo mkdir -p /etc/systemd/coredump.conf.d
+run0 mkdir -p /etc/systemd/coredump.conf.d
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/systemd/coredump.conf.d/disable.conf /etc/systemd/coredump.conf.d/disable.conf
 
 # Setup dconf
-sudo mkdir -p /etc/dconf/db/local.d/locks
+run0 mkdir -p /etc/dconf/db/local.d/locks
 
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/locks/automount-disable /etc/dconf/db/local.d/locks/automount-disable
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/locks/privacy /etc/dconf/db/local.d/locks/privacy
@@ -64,10 +64,10 @@ download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/et
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/prefer-dark /etc/dconf/db/local.d/prefer-dark
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/privacy /etc/dconf/db/local.d/privacy
 
-sudo dconf update
+run0 dconf update
 
 # Fix portals
-sudo mkdir -p /etc/xdg-desktop-portal
+run0 mkdir -p /etc/xdg-desktop-portal
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/xdg-desktop-portal/portals.conf /etc/xdg-desktop-portal/portals.conf
 
 # Setup ZRAM
@@ -80,77 +80,77 @@ download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc
 # Setup networking
 # We don't need the usual mac address randomization and stuff here, because this template is not used for sys-net
 
-sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
+run0 mkdir -p /etc/systemd/system/NetworkManager.service.d
 download https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf /etc/systemd/system/NetworkManager.service.d/99-brace.conf
-sudo sed -i 's@ReadOnlyPaths=/etc/NetworkManager@#ReadOnlyPaths=/etc/NetworkManager@' /etc/systemd/system/NetworkManager.service.d/99-brace.conf
-sudo sed -i 's@ReadWritePaths=-/etc/NetworkManager/system-connections@#ReadWritePaths=-/etc/NetworkManager/system-connections@' /etc/systemd/system/NetworkManager.service.d/99-brace.conf
+run0 sed -i 's@ReadOnlyPaths=/etc/NetworkManager@#ReadOnlyPaths=/etc/NetworkManager@' /etc/systemd/system/NetworkManager.service.d/99-brace.conf
+run0 sed -i 's@ReadWritePaths=-/etc/NetworkManager/system-connections@#ReadWritePaths=-/etc/NetworkManager/system-connections@' /etc/systemd/system/NetworkManager.service.d/99-brace.conf
 
 # Disable GJS and WebkitGTK JIT
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/environment /etc/environment
 
 # Fix GNOME environment variable
 echo '
-XDG_CURRENT_DESKTOP=GNOME' | sudo tee -a /etc/environment
+XDG_CURRENT_DESKTOP=GNOME' | run0 tee -a /etc/environment
 
 # Moving DNF handling to the bottom as the Qubes template just breaks when repos are changed and needs a reboot to fix
 
 # Remove unwanted groups
-sudo dnf -y group remove 'Container Management' 'Desktop accessibility' 'Firefox Web Browser' 'Guest Desktop Agents' 'LibreOffice' 'Printing Support'
+run0 dnf -y group remove 'Container Management' 'Desktop accessibility' 'Firefox Web Browser' 'Guest Desktop Agents' 'LibreOffice' 'Printing Support'
 
 # Remove unnecessary stuff from the Qubes template
-sudo dnf -y remove gnome-software gnome-system-monitor amd-ucode-firmware '*gpu*' httpd keepassxc thunderbird
+run0 dnf -y remove gnome-software gnome-system-monitor amd-ucode-firmware '*gpu*' httpd keepassxc thunderbird
 
 # Remove unnecessary stuff from the Fedora-41 template (will be split into whats in the qubes template and whats upstream later)
-sudo dnf -y remove c-ares hiredis
+run0 dnf -y remove c-ares hiredis
 
 # Remove firefox packages
-sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem
+run0 dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem
 
 # Remove Network + hardware tools packages
-sudo dnf -y remove avahi cifs* '*cups' dmidecode dnsmasq geolite2* mtr net-snmp-libs net-tools nfs-utils nmap-ncat nmap-ncat opensc openssh-server rsync rygel sgpio tcpdump teamd traceroute usb_modeswitch
+run0 dnf -y remove avahi cifs* '*cups' dmidecode dnsmasq geolite2* mtr net-snmp-libs net-tools nfs-utils nmap-ncat nmap-ncat opensc openssh-server rsync rygel sgpio tcpdump teamd traceroute usb_modeswitch
 
 # Remove support for some languages and spelling
-sudo dnf -y remove '*anthy*' '*hangul*' ibus-typing-booster '*m17n*' '*pinyin*' '*speech*' texlive-libs words '*zhuyin*'
+run0 dnf -y remove '*anthy*' '*hangul*' ibus-typing-booster '*m17n*' '*pinyin*' '*speech*' texlive-libs words '*zhuyin*'
 
 # Remove codec + image + printers
-sudo dnf -y remove openh264 ImageMagick* sane* simple-scan
+run0 dnf -y remove openh264 ImageMagick* sane* simple-scan
 
 # Remove Active Directory + Sysadmin + reporting tools
-sudo dnf -y remove 'sssd*' realmd cyrus-sasl-gssapi quota* dos2unix kpartx sos samba-client gvfs-smb
+run0 dnf -y remove 'sssd*' realmd cyrus-sasl-gssapi quota* dos2unix kpartx sos samba-client gvfs-smb
 
 # Remove NetworkManager
-sudo dnf -y remove NetworkManager-pptp-gnome NetworkManager-ssh-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-vpnc-gnome ppp* ModemManager
+run0 dnf -y remove NetworkManager-pptp-gnome NetworkManager-ssh-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-vpnc-gnome ppp* ModemManager
 
 # Remove Gnome apps
-sudo dnf remove -y baobab chrome-gnome-shell eog gnome-boxes gnome-calculator gnome-calendar gnome-characters gnome-classic* gnome-clocks gnome-color-manager gnome-connections \
+run0 dnf remove -y baobab chrome-gnome-shell eog gnome-boxes gnome-calculator gnome-calendar gnome-characters gnome-classic* gnome-clocks gnome-color-manager gnome-connections \
     gnome-contacts gnome-disk-utility gnome-font-viewer gnome-logs gnome-maps gnome-photos gnome-remote-desktop gnome-screenshot gnome-shell-extension-apps-menu \
     gnome-shell-extension-background-logo gnome-shell-extension-launch-new-instance gnome-shell-extension-places-menu gnome-shell-extension-window-list gnome-text-editor \
     gnome-themes-extra gnome-tour gnome-user* gnome-weather loupe snapshot totem
 
 # Remove apps
-sudo dnf remove -y abrt* cheese evince file-roller* libreoffice* mediawriter rhythmbox yelp
+run0 dnf remove -y abrt* cheese evince file-roller* libreoffice* mediawriter rhythmbox yelp
 
 # Remove other packages
-sudo dnf remove -y lvm2 rng-tools thermald '*perl*'
+run0 dnf remove -y lvm2 rng-tools thermald '*perl*' su sudo plexec
 
 # Disable openh264 repo
-sudo dnf config-manager setopt fedora-cisco-openh264.enabled=0
+run0 dnf config-manager setopt fedora-cisco-openh264.enabled=0
 
 # Install custom packages
-sudo dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme flatpak ncurses xdg-desktop-portal-gtk
+run0 dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme flatpak ncurses xdg-desktop-portal-gtk
 
 # Setup hardened_malloc
-sudo https_proxy=127.0.0.1:8082 dnf copr enable secureblue/hardened_malloc -y
-sudo dnf install -y hardened_malloc
-echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
-sudo chmod 644 /etc/ld.so.preload
+run0 https_proxy=127.0.0.1:8082 dnf copr enable secureblue/hardened_malloc -y
+run0 dnf install -y hardened_malloc
+echo 'libhardened_malloc.so' | run0 tee /etc/ld.so.preload
+run0 chmod 644 /etc/ld.so.preload
 
 # Enable hardened_malloc for Flatpak
-sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
+run0 flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
 
 ## Unforunately, user override needs to be run per-app VM
 flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
 
 # Setup DNF
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dnf/dnf.conf /etc/dnf/dnf.conf
-sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
+run0 sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*

fedora-gnome/ivpn.sh

@@ -17,29 +17,29 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
-sudo dnf config-manager addrepo --from-repofile=https://repo.ivpn.net/stable/fedora/generic/ivpn.repo
-sudo dnf install -y ivpn-ui
+run0 dnf config-manager addrepo --from-repofile=https://repo.ivpn.net/stable/fedora/generic/ivpn.repo
+run0 dnf install -y ivpn-ui
 
 umask 022
 
-sudo mkdir -p /etc/qubes-bind-dirs.d
-echo 'binds+=( '\'''/etc/opt/ivpn/mutable''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf 
+run0 mkdir -p /etc/qubes-bind-dirs.d
+echo 'binds+=( '\'''/etc/opt/ivpn/mutable''\'' )' | run0 tee /etc/qubes-bind-dirs.d/50_user.conf 
 
-sudo mkdir -p /etc/systemd/system/systemd-resolved.service.d
+run0 mkdir -p /etc/systemd/system/systemd-resolved.service.d
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/systemd-resolved.service.d/override.conf /etc/systemd/system/systemd-resolved.service.d/override.conf
 
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns.service /etc/systemd/system/dnat-to-ns.service
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns.path /etc/systemd/system/dnat-to-ns.path
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns-boot.service /etc/systemd/system/dnat-to-ns-boot.service
 
-sudo systemctl enable dnat-to-ns.path
-sudo systemctl enable dnat-to-ns-boot.service
+run0 systemctl enable dnat-to-ns.path
+run0 systemctl enable dnat-to-ns-boot.service
 
 # Follow these instructions on how to set up the ProxyVM: https://privsec.dev/posts/qubes/using-ivpn-on-qubes-os/#creating-the-proxyvm

fedora-gnome/microsoft-edge.sh

@@ -17,11 +17,11 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 umask 022
@@ -32,16 +32,16 @@ name=microsoft-edge
 baseurl=https://packages.microsoft.com/yumrepos/edge/
 enabled=1
 gpgcheck=1
-gpgkey=https://packages.microsoft.com/keys/microsoft.asc' | sudo tee /etc/yum.repos.d/microsoft-edge.repo
+gpgkey=https://packages.microsoft.com/keys/microsoft.asc' | run0 tee /etc/yum.repos.d/microsoft-edge.repo
 
-sudo dnf install -y microsoft-edge-stable qubes-video-companion
+run0 dnf install -y microsoft-edge-stable qubes-video-companion
 
-sudo mkdir -p /etc/opt/edge/policies/managed/ /etc/opt/edge/policies/recommended/
+run0 mkdir -p /etc/opt/edge/policies/managed/ /etc/opt/edge/policies/recommended/
 download https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/managed.json /etc/opt/edge/policies/managed/managed.json
 download https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/recommended.json /etc/opt/edge/policies/recommended/recommended.json
 
 # Workaround for this problem: https://forum.qubes-os.org/t/upgraded-to-4-2-and-audio-no-longer-works/23130/60
-sudo dnf install -y pulseaudio-utils
+run0 dnf install -y pulseaudio-utils
 
 echo '[Unit]
 Description=Run pactl to work around edge audio bug
@@ -53,13 +53,13 @@ Type=oneshot
 ExecStart=/usr/bin/pactl info
 
 [Install]
-WantedBy=default.target' | sudo tee /etc/systemd/user/pactl.service
+WantedBy=default.target' | run0 tee /etc/systemd/user/pactl.service
 
 umask 077
 
 # Disable hardened_malloc (for now)
 # It causes Edge to crash at launch most of the time
-sudo rm /etc/ld.so.preload
+run0 rm /etc/ld.so.preload
 
 # Run `systemctl --user enable --now pactl.service` in your appVM.
 # For some uncomprehensible reason, manually enabling pipewire-pulse.service will not work for Edge audio.

fedora-gnome/mullvad-browser.sh

@@ -17,23 +17,23 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
-sudo dnf config-manager addrepo --from-repofile=https://repository.mullvad.net/rpm/stable/mullvad.repo
-sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1
+run0 dnf config-manager addrepo --from-repofile=https://repository.mullvad.net/rpm/stable/mullvad.repo
+run0 dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1
 
 # Install the package
-sudo dnf install -y ffmpeg ffmpegthumbnailer mullvad-browser yt-dlp
-sudo dnf update -y @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin
+run0 dnf install -y ffmpeg ffmpegthumbnailer mullvad-browser yt-dlp
+run0 dnf update -y @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin
 
 # Install dependencies for other apps not listed here
-sudo dnf install -y python3-pip
+run0 dnf install -y python3-pip
 
 # Disable hardened_malloc (for now)
 # It causes Mullvad browser to randomly crash
-sudo rm /etc/ld.so.preload
+run0 rm /etc/ld.so.preload

fedora-gnome/mullvad.sh

@@ -17,27 +17,27 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
-sudo dnf config-manager addrepo --from-repofile=https://repository.mullvad.net/rpm/stable/mullvad.repo
-sudo dnf install -y mullvad-vpn
+run0 dnf config-manager addrepo --from-repofile=https://repository.mullvad.net/rpm/stable/mullvad.repo
+run0 dnf install -y mullvad-vpn
 
 umask 022
 
-sudo mkdir -p /etc/qubes-bind-dirs.d
-echo 'binds+=( '\'''/etc/mullvad-vpn''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf 
+run0 mkdir -p /etc/qubes-bind-dirs.d
+echo 'binds+=( '\'''/etc/mullvad-vpn''\'' )' | run0 tee /etc/qubes-bind-dirs.d/50_user.conf 
 
-sudo mkdir -p /etc/systemd/system/systemd-resolved.service.d
+run0 mkdir -p /etc/systemd/system/systemd-resolved.service.d
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/systemd-resolved.service.d/override.conf /etc/systemd/system/systemd-resolved.service.d/override.conf
 
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns.service /etc/systemd/system/dnat-to-ns.service
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns.path /etc/systemd/system/dnat-to-ns.path
 
-sudo systemctl enable dnat-to-ns.path
+run0 systemctl enable dnat-to-ns.path
 
-# Follow these instructions on how to set up the ProxyVM: https://privsec.dev/posts/qubes/using-mullvad-vpn-on-qubes-os/#creating-the-proxyvm
+# Follow these instructions on how to set up the ProxyVM: https://privsec.dev/posts/qubes/using-mullvad-vpn-on-qubes-os/#creating-the-proxyvm

fedora-gnome/sys-usb.sh

@@ -17,13 +17,13 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
-sudo dnf install -y android-tools mediawriter gnome-disk-utility
+run0 dnf install -y android-tools mediawriter gnome-disk-utility
 
-# In the dispvm template, delete ~/.config/autostart/nw.desktop to prevent the OnlyKey app from automatically starting.
+# In the dispvm template, delete ~/.config/autostart/nw.desktop to prevent the OnlyKey app from automatically starting.

fedora-gnome/thunderbird.sh

@@ -17,17 +17,17 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0  -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
-sudo dnf install -y thunderbird
+run0 dnf install -y thunderbird
 
 # Change the GPG Domain name appropriately
-echo 'QUBES_GPG_DOMAIN=vault' | sudo tee -a /etc/environment
+echo 'QUBES_GPG_DOMAIN=vault' | run0 tee -a /etc/environment
 
 # Disable hardened_malloc (for now)
-sudo rm /etc/ld.so.preload
+run0 rm /etc/ld.so.preload

fedora-gnome/trivalent.sh

@@ -17,22 +17,22 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
-sudo dnf config-manager addrepo --from-repofile=https://repo.secureblue.dev/secureblue.repo
-sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1
-sudo dnf install -y ffmpeg trivalent
-sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin
+run0 dnf config-manager addrepo --from-repofile=https://repo.secureblue.dev/secureblue.repo
+run0 dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1
+run0 dnf install -y ffmpeg trivalent
+run0 dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin
 
 umask 022
 
 # Workaround for this problem: https://forum.qubes-os.org/t/upgraded-to-4-2-and-audio-no-longer-works/23130/60
-sudo dnf install -y pulseaudio-utils
+run0 dnf install -y pulseaudio-utils
 
 echo '[Unit]
 Description=Run pactl to work around edge audio bug
@@ -44,7 +44,7 @@ Type=oneshot
 ExecStart=/usr/bin/pactl info
 
 [Install]
-WantedBy=default.target' | sudo tee /etc/systemd/user/pactl.service
+WantedBy=default.target' | run0 tee /etc/systemd/user/pactl.service
 
 umask 077
 

fedora-gnome/vault.sh

@@ -17,17 +17,17 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/qubes-rpc/qubes.SshAgent /etc/qubes-rpc/qubes.SshAgent
-sudo chmod +x /etc/qubes-rpc/qubes.SshAgent
+run0 chmod +x /etc/qubes-rpc/qubes.SshAgent
 
 # Not using openssh-askpass here, because of this bug:
 # https://github.com/QubesOS/qubes-issues/issues/9741
 
-sudo dnf install -y keepassxc okular pinentry-gnome3
+run0 dnf install -y keepassxc okular pinentry-gnome3

whonix/whonix-gateway.sh

@@ -17,45 +17,48 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 # Setting umask to 077
 # Whonix defaults to zsh - I need to set it for zsh later.
 umask 077
-sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
-sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
-echo 'umask 077' | sudo tee -a /etc/bash.bashrc
+run0 sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
+run0 sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
+echo 'umask 077' | run0 tee -a /etc/bash.bashrc
 
 # Make home directory private
-sudo chmod 700 /home/*
+run0 chmod 700 /home/*
 
 # Avoid phased updates
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/apt/apt.conf.d/99sane-upgrades /etc/apt/apt.conf.d/99sane-upgrades > /dev/null
-sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
+run0 chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
 
 # Install packages
-sudo apt-get install --no-install-recommends fwupd-qubes-vm qt5-style-plugins arc-theme -y
+run0 apt-get install --no-install-recommends fwupd-qubes-vm qt5-style-plugins arc-theme -y
+
+# Uninstall packages
+run0 apt-get purge -y su sudo runuser
 
 # Restrict /proc and access
-sudo systemctl enable --now proc-hidepid.service
+run0 systemctl enable --now proc-hidepid.service
 
 # Reduce kernel information leaks
 # Will break a lot of applications. The apps I use on Whonix work fine with it so I am enabling it.
-sudo systemctl enable --now hide-hardware-info.service
+run0 systemctl enable --now hide-hardware-info.service
 
 # Enforce connection padding
-echo 'ConnectionPadding 1' | sudo tee /usr/local/etc/torrc.d/50_user.conf
+echo 'ConnectionPadding 1' | run0 tee /usr/local/etc/torrc.d/50_user.conf
 
 # Theming
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/environment /etc/environment
 
-sudo mkdir -p /etc/gtk-3.0
+run0 mkdir -p /etc/gtk-3.0
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-3.0/settings.ini /etc/gtk-3.0/settings.ini
 
-sudo mkdir -p /etc/gtk-4.0
-download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini
+run0 mkdir -p /etc/gtk-4.0
+download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini

whonix/whonix-workstation.sh

@@ -19,11 +19,11 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+ -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | tee "${2}" > /dev/null
 }
 
 # Setting umask to 077
@@ -31,7 +31,7 @@ download() {
 umask 077
 sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
 sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
-echo 'umask 077' | sudo tee -a /etc/bash.bashrc
+echo 'umask 077' | tee -a /etc/bash.bashrc
 
 # Make home directory private
 chmod 700 /home/*
@@ -43,6 +43,9 @@ chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
 # Install packages
 apt-get install --no-install-recommends arc-theme pipewire-pulse qt5-style-plugins -y
 
+# Uninstall packages
+apt-get purge -y sudo su runuser
+
 # Restrict /proc and access
 systemctl enable --now proc-hidepid.service
 
@@ -57,8 +60,8 @@ download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc
 # Theming
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/environment /etc/environment
 
-sudo mkdir -p /etc/gtk-3.0
+mkdir -p /etc/gtk-3.0
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-3.0/settings.ini /etc/gtk-3.0/settings.ini
 
-sudo mkdir -p /etc/gtk-4.0
+mkdir -p /etc/gtk-4.0
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini