From 7bf610dc48b8b02fe65c9ac80c288de179b499ef Mon Sep 17 00:00:00 2001
From: Ganwtrs <morga.nwinters-99@aliasvault.net>
Date: Mon, 8 Dec 2025 17:27:54 -0800
Subject: [PATCH 01/16] Replace 'sudo' with 'run0' in the Debian GNOME script

Signed-off-by: Ganwtrs <morga.nwinters-99@aliasvault.net>
---
 debian-gnome/debian-gnome.sh | 86 ++++++++++++++++++------------------
 1 file changed, 43 insertions(+), 43 deletions(-)

diff --git a/debian-gnome/debian-gnome.sh b/debian-gnome/debian-gnome.sh
index 8c98be0..7910756 100644
--- a/debian-gnome/debian-gnome.sh
+++ b/debian-gnome/debian-gnome.sh
@@ -17,37 +17,37 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 
 # Compliance
-sudo systemctl mask debug-shell.service
+run0 systemctl mask debug-shell.service
 
 # Setting umask to 077
 # Kicksecure defaults to zsh - I need to set it for zsh later.
 umask 077
-sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
-sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
-echo 'umask 077' | sudo tee -a /etc/bash.bashrc
+run0 sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
+run0 sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
+echo 'umask 077' | run0 tee -a /etc/bash.bashrc
 
 # Make home directory private
-sudo chmod 700 /home/*
+run0 chmod 700 /home/*
 
 # Harden SSH
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/ssh/ssh_config.d/10-custom.conf /etc/ssh/ssh_config.d/10-custom.conf
-sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
+run0 chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
 
 # Disable coredump
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/security/limits.d/30-disable-coredump.conf /etc/security/limits.d/30-disable-coredump.conf
 
 # Setup dconf
 umask 022
-sudo mkdir -p /etc/dconf/db/local.d/locks
+run0 mkdir -p /etc/dconf/db/local.d/locks
 
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/locks/automount-disable /etc/dconf/db/local.d/locks/automount-disable
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/locks/privacy /etc/dconf/db/local.d/locks/privacy
@@ -56,88 +56,88 @@ download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/et
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/prefer-dark /etc/dconf/db/local.d/prefer-dark
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/privacy /etc/dconf/db/local.d/privacy
 
-sudo dconf update
+run0 dconf update
 umask 077
 
 # Fix portals
-sudo mkdir -p /etc/xdg-desktop-portal
+run0 mkdir -p /etc/xdg-desktop-portal
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/xdg-desktop-portal/portals.conf /etc/xdg-desktop-portal/portals.conf
 
 # Avoid phased updates
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/apt/apt.conf.d/99sane-upgrades /etc/apt/apt.conf.d/99sane-upgrades
-sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
+run0 chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
 
 
-sudo apt-get update -y
-sudo apt-get full-upgrade -y
-sudo apt-get autoremove -y
+run0 apt-get update -y
+run0 apt-get full-upgrade -y
+run0 apt-get autoremove -y
 
 # Debloat
 
 # Remove unnecessary stuff from the Qubes template
-sudo apt-get purge -y gnome-software gnome-system-monitor thunderbird keepassxc
+run0 apt-get purge -y gnome-software gnome-system-monitor thunderbird keepassxc
 
 # Remove Network + hardware tools packages
-sudo apt-get purge -y avahi* cups* '*nfs*' rygel '*smtp*' system-config-printer* '*telnet*'
+run0 apt-get purge -y avahi* cups* '*nfs*' rygel '*smtp*' system-config-printer* '*telnet*'
 
 # Remove support for some languages and spelling
-sudo apt-get purge -y '*speech*'
+run0 apt-get purge -y '*speech*'
 
 # Remove codec + image + printers
-sudo apt-get purge -y ImageMagick* sane* simple-scan
+run0 apt-get purge -y ImageMagick* sane* simple-scan
 
 # Remove Active Directory + Sysadmin + reporting tools
-sudo apt-get purge -y realmd
+run0 apt-get purge -y realmd
 
 # Remove unnecessary network tools
-sudo apt-get purge -y ifupdown mobile-broadband-provider-info modemmanager
+run0 apt-get purge -y ifupdown mobile-broadband-provider-info modemmanager
 
 # Remove Gnome apps
-sudo apt-get purge -y baobab chrome-gnome-shell eog gnome-calculator gnome-calendar gnome-characters gnome-clocks gnome-color-manager \
+run0 apt-get purge -y baobab chrome-gnome-shell eog gnome-calculator gnome-calendar gnome-characters gnome-clocks gnome-color-manager \
     gnome-contacts gnome-disk-utility gnome-font-viewer gnome-logs gnome-maps gnome-music gnome-remote-desktop gnome-shell-extensions \
     gnome-sound-recorder gnome-tweaks gnome-user-share gnome-weather totem
 
 # Remove apps
-sudo apt-get purge -y cheese evince evolution file-roller* firefox* libreoffice* seahorse shotwell synaptic* rhythmbox yelp
+run0 apt-get purge -y cheese evince evolution file-roller* firefox* libreoffice* seahorse shotwell synaptic* rhythmbox yelp
 
 # Remove other packages
-sudo apt-get purge -y cron lvm2 lynx '*vmware*' xserver-xephyr xsettingsd
+run0 apt-get purge -y cron lvm2 lynx '*vmware*' xserver-xephyr xsettingsd sudo su runuser
 
-sudo apt-get autoremove -y
-sudo apt-get autoclean
+run0 apt-get autoremove -y
+run0 apt-get autoclean
 
 # Add console group
-sudo groupadd --system console
-sudo usermod -aG console user
+run0 groupadd --system console
+run0 usermod -aG console user
 
 # Add extrepo
-sudo apt-get install -y extrepo
+run0 apt-get install -y extrepo
 
 # Adding KickSecure's repo
-sudo http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 extrepo enable kicksecure
+run0 http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 extrepo enable kicksecure
 
 # Distribution morphing
-sudo apt-get update
-sudo apt-get full-upgrade -y
-sudo apt-get install --no-install-recommends kicksecure-qubes-cli -y
-sudo apt-get autoremove -y
-sudo repository-dist --enable --repository stable-proposed-updates
-sudo extrepo disable kicksecure
-sudo mv /etc/apt/sources.list ~/
-sudo touch /etc/apt/sources.list
+run0 apt-get update
+run0 apt-get full-upgrade -y
+run0 apt-get install --no-install-recommends kicksecure-qubes-cli -y
+run0 apt-get autoremove -y
+run0 repository-dist --enable --repository stable-proposed-updates
+run0 extrepo disable kicksecure
+run0 mv /etc/apt/sources.list ~/
+run0 touch /etc/apt/sources.list
 
 
 # Restrict /proc and access
-sudo systemctl enable --now proc-hidepid.service
+run0 systemctl enable --now proc-hidepid.service
 
 # Reduce kernel information leaks
 # Will break a lot of applications. The apps I use on KickSecure work fine with it so I am enabling it.
-sudo systemctl enable --now hide-hardware-info.service
+run0 systemctl enable --now hide-hardware-info.service
 
 # Install packages
-sudo apt-get update
-sudo apt-get install --no-install-recommends gnome-console flatpak qubes-ctap qubes-gpg-split -y
+run0 apt-get update
+run0 apt-get install --no-install-recommends gnome-console flatpak qubes-ctap qubes-gpg-split -y
 
 # Flatpak update service
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.service /etc/systemd/user/update-user-flatpaks.service
-download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer /etc/systemd/user/update-user-flatpaks.timer
\ No newline at end of file
+download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer /etc/systemd/user/update-user-flatpaks.timer

From 310b7344e352dc77f67ba888b4a8b74ff409eb8e Mon Sep 17 00:00:00 2001
From: Ganwtrs <morga.nwinters-99@aliasvault.net>
Date: Mon, 8 Dec 2025 17:30:36 -0800
Subject: [PATCH 02/16] Replace 'sudo' with 'run0' for Debian lokinet script

Signed-off-by: Ganwtrs <morga.nwinters-99@aliasvault.net>
---
 debian-gnome/lokinet.sh | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/debian-gnome/lokinet.sh b/debian-gnome/lokinet.sh
index 4cda5fb..d59316e 100644
--- a/debian-gnome/lokinet.sh
+++ b/debian-gnome/lokinet.sh
@@ -17,28 +17,28 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 umask 022
 
-sudo mkdir -p /etc/qubes-bind-dirs.d
-echo 'binds+=( '\'''/etc/loki''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf 
+run0 mkdir -p /etc/qubes-bind-dirs.d
+echo 'binds+=( '\'''/etc/loki''\'' )' | run0 tee /etc/qubes-bind-dirs.d/50_user.conf 
 
 # Add repositories
 download https://deb.oxen.io/pub.gpg /usr/share/keyrings/oxen.gpg
-echo "deb [signed-by=/usr/share/keyrings/oxen.gpg] https://deb.oxen.io $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/oxen.list
+echo "deb [signed-by=/usr/share/keyrings/oxen.gpg] https://deb.oxen.io $(lsb_release -sc) main" | run0 tee /etc/apt/sources.list.d/oxen.list
 
 download https://repository.mullvad.net/deb/mullvad-keyring.asc /usr/share/keyrings/mullvad-keyring.asc
 echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/stable $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/mullvad.list
 
 # Install packages
-sudo apt-get update
-sudo apt-get install -y lokinet mullvad-browser resolvconf
+run0 apt-get update
+run0 apt-get install -y lokinet mullvad-browser resolvconf
 
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/lokinet-dns-fix.service /etc/systemd/system/lokinet-dns-fix.service
-sudo systemctl enable --now lokinet-dns-fix
+run0 systemctl enable --now lokinet-dns-fix

From 3f9ab73e38e2162f7cc76d060180a8764670ef88 Mon Sep 17 00:00:00 2001
From: Ganwtrs <morga.nwinters-99@aliasvault.net>
Date: Mon, 8 Dec 2025 17:31:50 -0800
Subject: [PATCH 03/16] Replace 'sudo' with 'run0' in sys-usb script

Signed-off-by: Ganwtrs <morga.nwinters-99@aliasvault.net>
---
 debian-gnome/sys-usb.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/debian-gnome/sys-usb.sh b/debian-gnome/sys-usb.sh
index c0ecf42..81000dd 100644
--- a/debian-gnome/sys-usb.sh
+++ b/debian-gnome/sys-usb.sh
@@ -17,15 +17,15 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 curl -s --proxy http://127.0.0.1:8082 -L https://github.com/trustcrypto/OnlyKey-App/releases/download/v5.5.0/OnlyKey_5.5.0_amd64.deb -O
 
-sudo apt-get install gnome-disk-utility qubes-video-companion ./OnlyKey_5.5.0_amd64.deb
+run0 apt-get install gnome-disk-utility qubes-video-companion ./OnlyKey_5.5.0_amd64.deb
 
-sudo systemctl disable --now hide-hardware-info.service
\ No newline at end of file
+run0 systemctl disable --now hide-hardware-info.service

From 9f95b1fdf3030854f4bd0fd0c76490e06ac484a4 Mon Sep 17 00:00:00 2001
From: Ganwtrs <morga.nwinters-99@aliasvault.net>
Date: Mon, 8 Dec 2025 17:34:51 -0800
Subject: [PATCH 04/16] Replace 'sudo' with 'run0' in development.sh

Signed-off-by: Ganwtrs <morga.nwinters-99@aliasvault.net>
---
 fedora-gnome/development.sh | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/fedora-gnome/development.sh b/fedora-gnome/development.sh
index 2b9d037..7b7869e 100644
--- a/fedora-gnome/development.sh
+++ b/fedora-gnome/development.sh
@@ -19,11 +19,11 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 echo '[code]
@@ -31,7 +31,7 @@ name=Visual Studio Code
 baseurl=https://packages.microsoft.com/yumrepos/vscode/
 enabled=1
 gpgcheck=1
-gpgkey=https://packages.microsoft.com/keys/microsoft.asc' | sudo tee /etc/yum.repos.d/vscode.repo
+gpgkey=https://packages.microsoft.com/keys/microsoft.asc' | run0 tee /etc/yum.repos.d/vscode.repo
 
 echo '[shiftkey-packages]
 name=GitHub Desktop
@@ -39,19 +39,19 @@ baseurl=https://rpm.packages.shiftkey.dev/rpm/
 enabled=1
 gpgcheck=1
 repo_gpgcheck=1
-gpgkey=https://rpm.packages.shiftkey.dev/gpg.key' | sudo tee /etc/yum.repos.d/shiftkey-packages.repo
+gpgkey=https://rpm.packages.shiftkey.dev/gpg.key' | run0 tee /etc/yum.repos.d/shiftkey-packages.repo
 
-sudo dnf config-manager addrepo --from-repofile=https://download.docker.com/linux/fedora/docker-ce.repo
+run0 dnf config-manager addrepo --from-repofile=https://download.docker.com/linux/fedora/docker-ce.repo
 
-sudo dnf install -y butane code docker-ce docker-buildx-plugin docker-compose-plugin git github-desktop
+run0 dnf install -y butane code docker-ce docker-buildx-plugin docker-compose-plugin git github-desktop
 
-sudo systemctl enable --now docker
-sudo usermod -aG docker user
+run0 systemctl enable --now docker
+run0 usermod -aG docker user
 
 # Change the GPG Domain name appropriately
-echo 'QUBES_GPG_DOMAIN=vault' | sudo tee -a /etc/environment
+echo 'QUBES_GPG_DOMAIN=vault' | run0 tee -a /etc/environment
 
 umask 022
 
-sudo mkdir -p /etc/qubes-bind-dirs.d
-echo 'binds+=( '\'''/var/lib/docker''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf 
\ No newline at end of file
+run0 mkdir -p /etc/qubes-bind-dirs.d
+echo 'binds+=( '\'''/var/lib/docker''\'' )' | run0 tee /etc/qubes-bind-dirs.d/50_user.conf 

From cf838e89c3162854908c276ecdc61f3a7a048ec0 Mon Sep 17 00:00:00 2001
From: Ganwtrs <morga.nwinters-99@aliasvault.net>
Date: Mon, 8 Dec 2025 17:39:25 -0800
Subject: [PATCH 05/16] Replace sudo with run0 in Fedora GNOME script

Signed-off-by: Ganwtrs <morga.nwinters-99@aliasvault.net>
---
 fedora-gnome/fedora-gnome.sh | 76 ++++++++++++++++++------------------
 1 file changed, 38 insertions(+), 38 deletions(-)

diff --git a/fedora-gnome/fedora-gnome.sh b/fedora-gnome/fedora-gnome.sh
index 35a16df..789da5d 100644
--- a/fedora-gnome/fedora-gnome.sh
+++ b/fedora-gnome/fedora-gnome.sh
@@ -17,28 +17,28 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 # Compliance
-sudo systemctl mask debug-shell.service
-sudo systemctl mask kdump.service
+run0 systemctl mask debug-shell.service
+run0 systemctl mask kdump.service
 
 # Setting umask to 077
-sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
-sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
-sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
+run0 sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
+run0 sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
+run0 sed -i 's/umask 022/umask 077/g' /etc/bashrc
 
 # Make home directory private
-sudo chmod 700 /home/*
+run0 chmod 700 /home/*
 
 # Harden SSH
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/ssh/ssh_config.d/10-custom.conf /etc/ssh/ssh_config.d/10-custom.conf
-sudo sed -i 's/KexAlgorithms curve25519-sha256/KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256/' /etc/crypto-policies/back-ends/openssh.config
+run0 sed -i 's/KexAlgorithms curve25519-sha256/KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256/' /etc/crypto-policies/back-ends/openssh.config
 
 # Security kernel settings
 download https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/usr/lib/modprobe.d/secureblue-framebuffer.conf /etc/modprobe.d/framebuffer-blacklist.conf
@@ -46,15 +46,15 @@ download https://raw.githubusercontent.com/secureblue/secureblue/live/files/syst
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/sysctl.d/99-workstation.conf /etc/sysctl.d/99-workstation.conf
 # Dracut doesn't seem to work - need to investigate
 # dracut -f
-sudo sysctl -p
+run0 sysctl -p
 
 # Disable coredump
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/security/limits.d/30-disable-coredump.conf /etc/security/limits.d/30-disable-coredump.conf
-sudo mkdir -p /etc/systemd/coredump.conf.d
+run0 mkdir -p /etc/systemd/coredump.conf.d
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/systemd/coredump.conf.d/disable.conf /etc/systemd/coredump.conf.d/disable.conf
 
 # Setup dconf
-sudo mkdir -p /etc/dconf/db/local.d/locks
+run0 mkdir -p /etc/dconf/db/local.d/locks
 
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/locks/automount-disable /etc/dconf/db/local.d/locks/automount-disable
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/locks/privacy /etc/dconf/db/local.d/locks/privacy
@@ -64,10 +64,10 @@ download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/et
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/prefer-dark /etc/dconf/db/local.d/prefer-dark
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dconf/db/local.d/privacy /etc/dconf/db/local.d/privacy
 
-sudo dconf update
+run0 dconf update
 
 # Fix portals
-sudo mkdir -p /etc/xdg-desktop-portal
+run0 mkdir -p /etc/xdg-desktop-portal
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/xdg-desktop-portal/portals.conf /etc/xdg-desktop-portal/portals.conf
 
 # Setup ZRAM
@@ -80,77 +80,77 @@ download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc
 # Setup networking
 # We don't need the usual mac address randomization and stuff here, because this template is not used for sys-net
 
-sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
+run0 mkdir -p /etc/systemd/system/NetworkManager.service.d
 download https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf /etc/systemd/system/NetworkManager.service.d/99-brace.conf
-sudo sed -i 's@ReadOnlyPaths=/etc/NetworkManager@#ReadOnlyPaths=/etc/NetworkManager@' /etc/systemd/system/NetworkManager.service.d/99-brace.conf
-sudo sed -i 's@ReadWritePaths=-/etc/NetworkManager/system-connections@#ReadWritePaths=-/etc/NetworkManager/system-connections@' /etc/systemd/system/NetworkManager.service.d/99-brace.conf
+run0 sed -i 's@ReadOnlyPaths=/etc/NetworkManager@#ReadOnlyPaths=/etc/NetworkManager@' /etc/systemd/system/NetworkManager.service.d/99-brace.conf
+run0 sed -i 's@ReadWritePaths=-/etc/NetworkManager/system-connections@#ReadWritePaths=-/etc/NetworkManager/system-connections@' /etc/systemd/system/NetworkManager.service.d/99-brace.conf
 
 # Disable GJS and WebkitGTK JIT
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/environment /etc/environment
 
 # Fix GNOME environment variable
 echo '
-XDG_CURRENT_DESKTOP=GNOME' | sudo tee -a /etc/environment
+XDG_CURRENT_DESKTOP=GNOME' | run0 tee -a /etc/environment
 
 # Moving DNF handling to the bottom as the Qubes template just breaks when repos are changed and needs a reboot to fix
 
 # Remove unwanted groups
-sudo dnf -y group remove 'Container Management' 'Desktop accessibility' 'Firefox Web Browser' 'Guest Desktop Agents' 'LibreOffice' 'Printing Support'
+run0 dnf -y group remove 'Container Management' 'Desktop accessibility' 'Firefox Web Browser' 'Guest Desktop Agents' 'LibreOffice' 'Printing Support'
 
 # Remove unnecessary stuff from the Qubes template
-sudo dnf -y remove gnome-software gnome-system-monitor amd-ucode-firmware '*gpu*' httpd keepassxc thunderbird
+run0 dnf -y remove gnome-software gnome-system-monitor amd-ucode-firmware '*gpu*' httpd keepassxc thunderbird
 
 # Remove unnecessary stuff from the Fedora-41 template (will be split into whats in the qubes template and whats upstream later)
-sudo dnf -y remove c-ares hiredis
+run0 dnf -y remove c-ares hiredis
 
 # Remove firefox packages
-sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem
+run0 dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem
 
 # Remove Network + hardware tools packages
-sudo dnf -y remove avahi cifs* '*cups' dmidecode dnsmasq geolite2* mtr net-snmp-libs net-tools nfs-utils nmap-ncat nmap-ncat opensc openssh-server rsync rygel sgpio tcpdump teamd traceroute usb_modeswitch
+run0 dnf -y remove avahi cifs* '*cups' dmidecode dnsmasq geolite2* mtr net-snmp-libs net-tools nfs-utils nmap-ncat nmap-ncat opensc openssh-server rsync rygel sgpio tcpdump teamd traceroute usb_modeswitch
 
 # Remove support for some languages and spelling
-sudo dnf -y remove '*anthy*' '*hangul*' ibus-typing-booster '*m17n*' '*pinyin*' '*speech*' texlive-libs words '*zhuyin*'
+run0 dnf -y remove '*anthy*' '*hangul*' ibus-typing-booster '*m17n*' '*pinyin*' '*speech*' texlive-libs words '*zhuyin*'
 
 # Remove codec + image + printers
-sudo dnf -y remove openh264 ImageMagick* sane* simple-scan
+run0 dnf -y remove openh264 ImageMagick* sane* simple-scan
 
 # Remove Active Directory + Sysadmin + reporting tools
-sudo dnf -y remove 'sssd*' realmd cyrus-sasl-gssapi quota* dos2unix kpartx sos samba-client gvfs-smb
+run0 dnf -y remove 'sssd*' realmd cyrus-sasl-gssapi quota* dos2unix kpartx sos samba-client gvfs-smb
 
 # Remove NetworkManager
-sudo dnf -y remove NetworkManager-pptp-gnome NetworkManager-ssh-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-vpnc-gnome ppp* ModemManager
+run0 dnf -y remove NetworkManager-pptp-gnome NetworkManager-ssh-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-vpnc-gnome ppp* ModemManager
 
 # Remove Gnome apps
-sudo dnf remove -y baobab chrome-gnome-shell eog gnome-boxes gnome-calculator gnome-calendar gnome-characters gnome-classic* gnome-clocks gnome-color-manager gnome-connections \
+run0 dnf remove -y baobab chrome-gnome-shell eog gnome-boxes gnome-calculator gnome-calendar gnome-characters gnome-classic* gnome-clocks gnome-color-manager gnome-connections \
     gnome-contacts gnome-disk-utility gnome-font-viewer gnome-logs gnome-maps gnome-photos gnome-remote-desktop gnome-screenshot gnome-shell-extension-apps-menu \
     gnome-shell-extension-background-logo gnome-shell-extension-launch-new-instance gnome-shell-extension-places-menu gnome-shell-extension-window-list gnome-text-editor \
     gnome-themes-extra gnome-tour gnome-user* gnome-weather loupe snapshot totem
 
 # Remove apps
-sudo dnf remove -y abrt* cheese evince file-roller* libreoffice* mediawriter rhythmbox yelp
+run0 dnf remove -y abrt* cheese evince file-roller* libreoffice* mediawriter rhythmbox yelp
 
 # Remove other packages
-sudo dnf remove -y lvm2 rng-tools thermald '*perl*'
+run0 dnf remove -y lvm2 rng-tools thermald '*perl*' su sudo plexec
 
 # Disable openh264 repo
-sudo dnf config-manager setopt fedora-cisco-openh264.enabled=0
+run0 dnf config-manager setopt fedora-cisco-openh264.enabled=0
 
 # Install custom packages
-sudo dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme flatpak ncurses xdg-desktop-portal-gtk
+run0 dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme flatpak ncurses xdg-desktop-portal-gtk
 
 # Setup hardened_malloc
-sudo https_proxy=127.0.0.1:8082 dnf copr enable secureblue/hardened_malloc -y
-sudo dnf install -y hardened_malloc
-echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
-sudo chmod 644 /etc/ld.so.preload
+run0 https_proxy=127.0.0.1:8082 dnf copr enable secureblue/hardened_malloc -y
+run0 dnf install -y hardened_malloc
+echo 'libhardened_malloc.so' | run0 tee /etc/ld.so.preload
+run0 chmod 644 /etc/ld.so.preload
 
 # Enable hardened_malloc for Flatpak
-sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
+run0 flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
 
 ## Unforunately, user override needs to be run per-app VM
 flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
 
 # Setup DNF
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/dnf/dnf.conf /etc/dnf/dnf.conf
-sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
+run0 sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*

From 5d7b8ec4f8c392ea329d89423a7e3c6db692abed Mon Sep 17 00:00:00 2001
From: Ganwtrs <morga.nwinters-99@aliasvault.net>
Date: Mon, 8 Dec 2025 17:40:30 -0800
Subject: [PATCH 06/16] Replace sudo with run0 in IVPN script

Signed-off-by: Ganwtrs <morga.nwinters-99@aliasvault.net>
---
 fedora-gnome/ivpn.sh | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/fedora-gnome/ivpn.sh b/fedora-gnome/ivpn.sh
index 82a64c8..ed1c5f9 100644
--- a/fedora-gnome/ivpn.sh
+++ b/fedora-gnome/ivpn.sh
@@ -17,29 +17,29 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
-sudo dnf config-manager addrepo --from-repofile=https://repo.ivpn.net/stable/fedora/generic/ivpn.repo
-sudo dnf install -y ivpn-ui
+run0 dnf config-manager addrepo --from-repofile=https://repo.ivpn.net/stable/fedora/generic/ivpn.repo
+run0 dnf install -y ivpn-ui
 
 umask 022
 
-sudo mkdir -p /etc/qubes-bind-dirs.d
-echo 'binds+=( '\'''/etc/opt/ivpn/mutable''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf 
+run0 mkdir -p /etc/qubes-bind-dirs.d
+echo 'binds+=( '\'''/etc/opt/ivpn/mutable''\'' )' | run0 tee /etc/qubes-bind-dirs.d/50_user.conf 
 
-sudo mkdir -p /etc/systemd/system/systemd-resolved.service.d
+run0 mkdir -p /etc/systemd/system/systemd-resolved.service.d
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/systemd-resolved.service.d/override.conf /etc/systemd/system/systemd-resolved.service.d/override.conf
 
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns.service /etc/systemd/system/dnat-to-ns.service
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns.path /etc/systemd/system/dnat-to-ns.path
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns-boot.service /etc/systemd/system/dnat-to-ns-boot.service
 
-sudo systemctl enable dnat-to-ns.path
-sudo systemctl enable dnat-to-ns-boot.service
+run0 systemctl enable dnat-to-ns.path
+run0 systemctl enable dnat-to-ns-boot.service
 
 # Follow these instructions on how to set up the ProxyVM: https://privsec.dev/posts/qubes/using-ivpn-on-qubes-os/#creating-the-proxyvm

From cfcef727006fa80abc4434d61b3e7e1a235e9bed Mon Sep 17 00:00:00 2001
From: Ganwtrs <morga.nwinters-99@aliasvault.net>
Date: Mon, 8 Dec 2025 17:50:23 -0800
Subject: [PATCH 07/16] Replace 'sudo' with 'run0' in Edge script

Signed-off-by: Ganwtrs <morga.nwinters-99@aliasvault.net>
---
 fedora-gnome/microsoft-edge.sh | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/fedora-gnome/microsoft-edge.sh b/fedora-gnome/microsoft-edge.sh
index 0a223cb..e16dfb8 100644
--- a/fedora-gnome/microsoft-edge.sh
+++ b/fedora-gnome/microsoft-edge.sh
@@ -17,11 +17,11 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 umask 022
@@ -32,16 +32,16 @@ name=microsoft-edge
 baseurl=https://packages.microsoft.com/yumrepos/edge/
 enabled=1
 gpgcheck=1
-gpgkey=https://packages.microsoft.com/keys/microsoft.asc' | sudo tee /etc/yum.repos.d/microsoft-edge.repo
+gpgkey=https://packages.microsoft.com/keys/microsoft.asc' | run0 tee /etc/yum.repos.d/microsoft-edge.repo
 
-sudo dnf install -y microsoft-edge-stable qubes-video-companion
+run0 dnf install -y microsoft-edge-stable qubes-video-companion
 
-sudo mkdir -p /etc/opt/edge/policies/managed/ /etc/opt/edge/policies/recommended/
+run0 mkdir -p /etc/opt/edge/policies/managed/ /etc/opt/edge/policies/recommended/
 download https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/managed.json /etc/opt/edge/policies/managed/managed.json
 download https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/recommended.json /etc/opt/edge/policies/recommended/recommended.json
 
 # Workaround for this problem: https://forum.qubes-os.org/t/upgraded-to-4-2-and-audio-no-longer-works/23130/60
-sudo dnf install -y pulseaudio-utils
+run0 dnf install -y pulseaudio-utils
 
 echo '[Unit]
 Description=Run pactl to work around edge audio bug
@@ -53,13 +53,13 @@ Type=oneshot
 ExecStart=/usr/bin/pactl info
 
 [Install]
-WantedBy=default.target' | sudo tee /etc/systemd/user/pactl.service
+WantedBy=default.target' | run0 tee /etc/systemd/user/pactl.service
 
 umask 077
 
 # Disable hardened_malloc (for now)
 # It causes Edge to crash at launch most of the time
-sudo rm /etc/ld.so.preload
+run0 rm /etc/ld.so.preload
 
 # Run `systemctl --user enable --now pactl.service` in your appVM.
 # For some uncomprehensible reason, manually enabling pipewire-pulse.service will not work for Edge audio.

From 19f3be797edda070fb76e81aeeebacd81ccbcd98 Mon Sep 17 00:00:00 2001
From: Ganwtrs <morga.nwinters-99@aliasvault.net>
Date: Mon, 8 Dec 2025 17:51:31 -0800
Subject: [PATCH 08/16] Replace 'sudo' with 'run0' in Mullvad Browser script

Signed-off-by: Ganwtrs <morga.nwinters-99@aliasvault.net>
---
 fedora-gnome/mullvad-browser.sh | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/fedora-gnome/mullvad-browser.sh b/fedora-gnome/mullvad-browser.sh
index ec8c8f0..16b8ee7 100644
--- a/fedora-gnome/mullvad-browser.sh
+++ b/fedora-gnome/mullvad-browser.sh
@@ -17,23 +17,23 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
-sudo dnf config-manager addrepo --from-repofile=https://repository.mullvad.net/rpm/stable/mullvad.repo
-sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1
+run0 dnf config-manager addrepo --from-repofile=https://repository.mullvad.net/rpm/stable/mullvad.repo
+run0 dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1
 
 # Install the package
-sudo dnf install -y ffmpeg ffmpegthumbnailer mullvad-browser yt-dlp
-sudo dnf update -y @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin
+run0 dnf install -y ffmpeg ffmpegthumbnailer mullvad-browser yt-dlp
+run0 dnf update -y @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin
 
 # Install dependencies for other apps not listed here
-sudo dnf install -y python3-pip
+run0 dnf install -y python3-pip
 
 # Disable hardened_malloc (for now)
 # It causes Mullvad browser to randomly crash
-sudo rm /etc/ld.so.preload
+run0 rm /etc/ld.so.preload

From 4cfccb29a9e3b42b9d416d738227a5e64742f8c0 Mon Sep 17 00:00:00 2001
From: Ganwtrs <morga.nwinters-99@aliasvault.net>
Date: Mon, 8 Dec 2025 17:52:39 -0800
Subject: [PATCH 09/16] Replace 'sudo' with 'run0' for in mullvad script

Signed-off-by: Ganwtrs <morga.nwinters-99@aliasvault.net>
---
 fedora-gnome/mullvad.sh | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/fedora-gnome/mullvad.sh b/fedora-gnome/mullvad.sh
index 2f5ef42..e91f42a 100644
--- a/fedora-gnome/mullvad.sh
+++ b/fedora-gnome/mullvad.sh
@@ -17,27 +17,27 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
-sudo dnf config-manager addrepo --from-repofile=https://repository.mullvad.net/rpm/stable/mullvad.repo
-sudo dnf install -y mullvad-vpn
+run0 dnf config-manager addrepo --from-repofile=https://repository.mullvad.net/rpm/stable/mullvad.repo
+run0 dnf install -y mullvad-vpn
 
 umask 022
 
-sudo mkdir -p /etc/qubes-bind-dirs.d
-echo 'binds+=( '\'''/etc/mullvad-vpn''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf 
+run0 mkdir -p /etc/qubes-bind-dirs.d
+echo 'binds+=( '\'''/etc/mullvad-vpn''\'' )' | run0 tee /etc/qubes-bind-dirs.d/50_user.conf 
 
-sudo mkdir -p /etc/systemd/system/systemd-resolved.service.d
+run0 mkdir -p /etc/systemd/system/systemd-resolved.service.d
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/systemd-resolved.service.d/override.conf /etc/systemd/system/systemd-resolved.service.d/override.conf
 
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns.service /etc/systemd/system/dnat-to-ns.service
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns.path /etc/systemd/system/dnat-to-ns.path
 
-sudo systemctl enable dnat-to-ns.path
+run0 systemctl enable dnat-to-ns.path
 
-# Follow these instructions on how to set up the ProxyVM: https://privsec.dev/posts/qubes/using-mullvad-vpn-on-qubes-os/#creating-the-proxyvm
\ No newline at end of file
+# Follow these instructions on how to set up the ProxyVM: https://privsec.dev/posts/qubes/using-mullvad-vpn-on-qubes-os/#creating-the-proxyvm

From a47bb73e9c091e1bde979b48719e43e4bc3147cd Mon Sep 17 00:00:00 2001
From: Ganwtrs <morga.nwinters-99@aliasvault.net>
Date: Mon, 8 Dec 2025 17:55:07 -0800
Subject: [PATCH 10/16] Replace 'sudo' with 'run0' in sys-usb for fedora-gnome

Signed-off-by: Ganwtrs <morga.nwinters-99@aliasvault.net>
---
 fedora-gnome/sys-usb.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/fedora-gnome/sys-usb.sh b/fedora-gnome/sys-usb.sh
index be3e661..305c023 100644
--- a/fedora-gnome/sys-usb.sh
+++ b/fedora-gnome/sys-usb.sh
@@ -17,13 +17,13 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
-sudo dnf install -y android-tools mediawriter gnome-disk-utility
+run0 dnf install -y android-tools mediawriter gnome-disk-utility
 
-# In the dispvm template, delete ~/.config/autostart/nw.desktop to prevent the OnlyKey app from automatically starting.
\ No newline at end of file
+# In the dispvm template, delete ~/.config/autostart/nw.desktop to prevent the OnlyKey app from automatically starting.

From d60246c15c197233a7e10cca791bf063c6ac9b72 Mon Sep 17 00:00:00 2001
From: Ganwtrs <morga.nwinters-99@aliasvault.net>
Date: Mon, 8 Dec 2025 18:00:54 -0800
Subject: [PATCH 11/16] Replace 'sudo' with 'run0' in thunderbird.sh

Signed-off-by: Ganwtrs <morga.nwinters-99@aliasvault.net>
---
 fedora-gnome/thunderbird.sh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/fedora-gnome/thunderbird.sh b/fedora-gnome/thunderbird.sh
index db9a3fd..196b6df 100644
--- a/fedora-gnome/thunderbird.sh
+++ b/fedora-gnome/thunderbird.sh
@@ -17,17 +17,17 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0  -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
-sudo dnf install -y thunderbird
+run0 dnf install -y thunderbird
 
 # Change the GPG Domain name appropriately
-echo 'QUBES_GPG_DOMAIN=vault' | sudo tee -a /etc/environment
+echo 'QUBES_GPG_DOMAIN=vault' | run0 tee -a /etc/environment
 
 # Disable hardened_malloc (for now)
-sudo rm /etc/ld.so.preload
\ No newline at end of file
+run0 rm /etc/ld.so.preload

From 71471a30b9ab9d090004af7246f1365a0285524b Mon Sep 17 00:00:00 2001
From: Ganwtrs <morga.nwinters-99@aliasvault.net>
Date: Mon, 8 Dec 2025 18:02:02 -0800
Subject: [PATCH 12/16] Replace 'sudo' with 'run0' in trivalent.sh

Signed-off-by: Ganwtrs <morga.nwinters-99@aliasvault.net>
---
 fedora-gnome/trivalent.sh | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/fedora-gnome/trivalent.sh b/fedora-gnome/trivalent.sh
index 92b82c0..ac38813 100644
--- a/fedora-gnome/trivalent.sh
+++ b/fedora-gnome/trivalent.sh
@@ -17,22 +17,22 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
-sudo dnf config-manager addrepo --from-repofile=https://repo.secureblue.dev/secureblue.repo
-sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1
-sudo dnf install -y ffmpeg trivalent
-sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin
+run0 dnf config-manager addrepo --from-repofile=https://repo.secureblue.dev/secureblue.repo
+run0 dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1
+run0 dnf install -y ffmpeg trivalent
+run0 dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin
 
 umask 022
 
 # Workaround for this problem: https://forum.qubes-os.org/t/upgraded-to-4-2-and-audio-no-longer-works/23130/60
-sudo dnf install -y pulseaudio-utils
+run0 dnf install -y pulseaudio-utils
 
 echo '[Unit]
 Description=Run pactl to work around edge audio bug
@@ -44,7 +44,7 @@ Type=oneshot
 ExecStart=/usr/bin/pactl info
 
 [Install]
-WantedBy=default.target' | sudo tee /etc/systemd/user/pactl.service
+WantedBy=default.target' | run0 tee /etc/systemd/user/pactl.service
 
 umask 077
 

From 7deb10ea6b0fb2a51a1ffcd65bc79c77a0d0b362 Mon Sep 17 00:00:00 2001
From: Ganwtrs <morga.nwinters-99@aliasvault.net>
Date: Mon, 8 Dec 2025 18:03:05 -0800
Subject: [PATCH 13/16] Replace 'sudo' with 'run0' in vault.sh

Signed-off-by: Ganwtrs <morga.nwinters-99@aliasvault.net>
---
 fedora-gnome/vault.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/fedora-gnome/vault.sh b/fedora-gnome/vault.sh
index 91a45d3..4e19321 100644
--- a/fedora-gnome/vault.sh
+++ b/fedora-gnome/vault.sh
@@ -17,17 +17,17 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/qubes-rpc/qubes.SshAgent /etc/qubes-rpc/qubes.SshAgent
-sudo chmod +x /etc/qubes-rpc/qubes.SshAgent
+run0 chmod +x /etc/qubes-rpc/qubes.SshAgent
 
 # Not using openssh-askpass here, because of this bug:
 # https://github.com/QubesOS/qubes-issues/issues/9741
 
-sudo dnf install -y keepassxc okular pinentry-gnome3
\ No newline at end of file
+run0 dnf install -y keepassxc okular pinentry-gnome3

From 9a2fe571241608186edd278138ac64dd05e057d6 Mon Sep 17 00:00:00 2001
From: Ganwtrs <morga.nwinters-99@aliasvault.net>
Date: Mon, 8 Dec 2025 18:08:16 -0800
Subject: [PATCH 14/16] Replace 'sudo' with 'run0' for Whonix Gateway script

Signed-off-by: Ganwtrs <morga.nwinters-99@aliasvault.net>
---
 whonix/whonix-gateway.sh | 31 +++++++++++++++++--------------
 1 file changed, 17 insertions(+), 14 deletions(-)

diff --git a/whonix/whonix-gateway.sh b/whonix/whonix-gateway.sh
index 2a397ce..2842053 100644
--- a/whonix/whonix-gateway.sh
+++ b/whonix/whonix-gateway.sh
@@ -17,45 +17,48 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+  run0 -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | run0 tee "${2}" > /dev/null
 }
 
 # Setting umask to 077
 # Whonix defaults to zsh - I need to set it for zsh later.
 umask 077
-sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
-sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
-echo 'umask 077' | sudo tee -a /etc/bash.bashrc
+run0 sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
+run0 sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
+echo 'umask 077' | run0 tee -a /etc/bash.bashrc
 
 # Make home directory private
-sudo chmod 700 /home/*
+run0 chmod 700 /home/*
 
 # Avoid phased updates
 download https://raw.githubusercontent.com/Metropolis-Nexus/Common-Files/main/etc/apt/apt.conf.d/99sane-upgrades /etc/apt/apt.conf.d/99sane-upgrades > /dev/null
-sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
+run0 chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
 
 # Install packages
-sudo apt-get install --no-install-recommends fwupd-qubes-vm qt5-style-plugins arc-theme -y
+run0 apt-get install --no-install-recommends fwupd-qubes-vm qt5-style-plugins arc-theme -y
+
+# Uninstall packages
+run0 apt-get purge -y su sudo runuser
 
 # Restrict /proc and access
-sudo systemctl enable --now proc-hidepid.service
+run0 systemctl enable --now proc-hidepid.service
 
 # Reduce kernel information leaks
 # Will break a lot of applications. The apps I use on Whonix work fine with it so I am enabling it.
-sudo systemctl enable --now hide-hardware-info.service
+run0 systemctl enable --now hide-hardware-info.service
 
 # Enforce connection padding
-echo 'ConnectionPadding 1' | sudo tee /usr/local/etc/torrc.d/50_user.conf
+echo 'ConnectionPadding 1' | run0 tee /usr/local/etc/torrc.d/50_user.conf
 
 # Theming
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/environment /etc/environment
 
-sudo mkdir -p /etc/gtk-3.0
+run0 mkdir -p /etc/gtk-3.0
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-3.0/settings.ini /etc/gtk-3.0/settings.ini
 
-sudo mkdir -p /etc/gtk-4.0
-download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini
\ No newline at end of file
+run0 mkdir -p /etc/gtk-4.0
+download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini

From 5e0bf3c71b66dba22e2f5f892a124818b730e50f Mon Sep 17 00:00:00 2001
From: Ganwtrs <morga.nwinters-99@aliasvault.net>
Date: Mon, 8 Dec 2025 18:11:23 -0800
Subject: [PATCH 15/16] Remove sudo and the like from Whonix Workstation script

Signed-off-by: Ganwtrs <morga.nwinters-99@aliasvault.net>
---
 whonix/whonix-workstation.sh | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/whonix/whonix-workstation.sh b/whonix/whonix-workstation.sh
index c16236c..71d41e1 100644
--- a/whonix/whonix-workstation.sh
+++ b/whonix/whonix-workstation.sh
@@ -19,11 +19,11 @@
 set -eu
 
 unpriv(){
-  sudo -u nobody "${@}"
+ -u nobody "${@}"
 }
 
 download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | tee "${2}" > /dev/null
 }
 
 # Setting umask to 077
@@ -31,7 +31,7 @@ download() {
 umask 077
 sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
 sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
-echo 'umask 077' | sudo tee -a /etc/bash.bashrc
+echo 'umask 077' | tee -a /etc/bash.bashrc
 
 # Make home directory private
 chmod 700 /home/*
@@ -43,6 +43,9 @@ chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
 # Install packages
 apt-get install --no-install-recommends arc-theme pipewire-pulse qt5-style-plugins -y
 
+# Uninstall packages
+apt-get purge -y sudo su runuser
+
 # Restrict /proc and access
 systemctl enable --now proc-hidepid.service
 
@@ -57,8 +60,8 @@ download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc
 # Theming
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/environment /etc/environment
 
-sudo mkdir -p /etc/gtk-3.0
+mkdir -p /etc/gtk-3.0
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-3.0/settings.ini /etc/gtk-3.0/settings.ini
 
-sudo mkdir -p /etc/gtk-4.0
+mkdir -p /etc/gtk-4.0
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini

From e34b81f98cff34f0e936c33fa9a4719d492392c4 Mon Sep 17 00:00:00 2001
From: Ganwtrs <morga.nwinters-99@aliasvault.net>
Date: Mon, 8 Dec 2025 18:13:36 -0800
Subject: [PATCH 16/16] Replace 'sudo' with 'run0' for dom0 script

Signed-off-by: Ganwtrs <morga.nwinters-99@aliasvault.net>
---
 dom0.sh | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/dom0.sh b/dom0.sh
index bd32ce9..97a04ca 100644
--- a/dom0.sh
+++ b/dom0.sh
@@ -17,32 +17,32 @@
 set -eu -o pipefail
 
 # Enabling discard and fstrim
-sudo sed -i 's/issue_discards = 0/issue_discards = 1/' /etc/lvm/lvm.conf
-sudo systemctl enable --now fstrim.timer
+run0 sed -i 's/issue_discards = 0/issue_discards = 1/' /etc/lvm/lvm.conf
+run0 systemctl enable --now fstrim.timer
 
-sudo qubes-dom0-update anti-evil-maid qubes-ctap-dom0 qubes-video-companion-dom0 qt5-qtstyleplugins
+run0 qubes-dom0-update anti-evil-maid qubes-ctap-dom0 qubes-video-companion-dom0 qt5-qtstyleplugins
 
 # Configure PCRs
-sudo sed -i 's/ --pcr 19//' /etc/anti-evil-maid.conf
-sudo sed -i 's/="/="--pcr 0 --pcr 1 --pcr 2 --pcr 3 --pcr 4 /' /etc/anti-evil-maid.conf
+run0 sed -i 's/ --pcr 19//' /etc/anti-evil-maid.conf
+run0 sed -i 's/="/="--pcr 0 --pcr 1 --pcr 2 --pcr 3 --pcr 4 /' /etc/anti-evil-maid.conf
 
-# Configure sudo prompt for domUs
-echo "/usr/bin/echo '1'" | sudo tee /etc/qubes-rpc/qubes.VMAuth
-echo "@anyvm dom0 ask,default_target=dom0" | sudo tee /etc/qubes-rpc/policy/qubes.VMAuth
-sudo chmod +x /etc/qubes-rpc/qubes.VMAuth
+# Configure run0 prompt for domUs
+echo "/usr/bin/echo '1'" | run0 tee /etc/qubes-rpc/qubes.VMAuth
+echo "@anyvm dom0 ask,default_target=dom0" | run0 tee /etc/qubes-rpc/policy/qubes.VMAuth
+run0 chmod +x /etc/qubes-rpc/qubes.VMAuth
 
 # Theming
 
-echo 'QT_QPA_PLATFORMTHEME=gtk2' | sudo tee -a /etc/environment
+echo 'QT_QPA_PLATFORMTHEME=gtk2' | run0 tee -a /etc/environment
 
 # Add extra gtk theming - this is probably not necessary, but why not
 
-sudo mkdir -p /etc/gtk-3.0
+run0 mkdir -p /etc/gtk-3.0
 echo '[Settings]
 gtk-theme-name = Arc-Dark
-gtk-application-prefer-dark-theme = true' | sudo tee /etc/gtk-3.0/settings.ini
+gtk-application-prefer-dark-theme = true' | run0 tee /etc/gtk-3.0/settings.ini
 
-sudo mkdir -p /etc/gtk-4.0
+run0 mkdir -p /etc/gtk-4.0
 echo '[Settings]
 gtk-theme-name = Arc-Dark
-gtk-application-prefer-dark-theme = true' | sudo tee /etc/gtk-4.0/settings.ini
+gtk-application-prefer-dark-theme = true' | run0 tee /etc/gtk-4.0/settings.ini