A Question about My Setup

Jedi · May 23, 2025, 2:31am

So, I’m new to the forum, but not new to Qubes, and definitely not new to the world of Linux.

My question purely aims to ask, “Is this correct?”

So I got bored and finally decided to create minimal Templates for all my default sys-qubes: firewall, net and USB. This is a project I’ve been wanting to do. Not necessarily for added security (as I understand it offers little extra), nor to save on RAM (I have plenty to go around), but rather just to tinker with Qubes to learn the system better.

So, first I downloaded fedora-41-minimal. Then I cloned it twice, leaving me with three: minimal-firewall, minimal-net and minimal-usb.

Then I cloned my default-dvm twice: I named one default-dvm-firewall and the other default-dvm-usb, and based those off of their respective minimal Templates. I based sys-firewall and usb off of these, respectively. And I based sys-net off of minimal-net.

Within each Template I downloaded only the necessary packages per qube, as outlined in the official Qubes documentation. This way, for instance, sys-net is only fedora-41-minimal + a handful of network-specific packages. Same with sys-firewall, only with firewall-specific packages. And same with sys-usb.

Everything is based off the correct Template, and all the packages Qubes said are needed are installed.

My question is: Is my thinking correct? Did I miss anything? Did I potentially mess something up? Will my computer self destruct in one hour?

PS

The only problem I foresee is each qube will have to independently update, and when Fedora 42, 43, etc, come along, I’ll have to replace everything.

Do most people use only one minimal Template (with all net, firewall, and usb packages) for each sys-qube?

murdock · May 23, 2025, 4:59am

Looks not incorrect, but means a lot of templates, that you have to update separately.

Jedi · May 23, 2025, 6:02am

Thank you for your response!

Right, that’s a lot of updating and replacing templates (when that time comes). So do people generally have only one minimal-Template for all of their sys-qubes?

murdock · May 23, 2025, 7:10am

Hmm, i have one minimal template for all sys qubes, additionally one minimal template each for mail, printing and one with only an webbrowser (for exploring the dark and grey edges of the net).
The sys-usb qube has no network access additionally, so the attac vector there is minimal also.

parulin · May 23, 2025, 8:01am

I do have multiple minimal templates.

As for upgrading the distro version (ie: fedora-40 to fedora-41), I use salt, so it’s very easy to recreate the templates.

As for upgrading individual packages, I use unman’s cacher to reduce the downloads and speed up the process.

fsflover · May 23, 2025, 11:13am

This looks like a relevant discussion:

unman · May 23, 2025, 12:01pm

I was gong to reply in detail, but @parulin has said everything for me.
(I tend to use Debian templates).

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

Euwiiwueir · May 24, 2025, 4:50pm

Like unman and parulin, I have (perhaps overly many) customized minimal templates, programmatically created, and I use a variant of unman’s cacher qube to streamline the update process. Mostly Debian here.

Jedi · May 25, 2025, 7:49am

Quick question, it seems upon doing this that sys-whonix no longer restarts after sys-net (now based on a minimal Template) reboots. I have to manually restart the qube. Was there a script for the regular Fedora Template for this?

murdock · May 25, 2025, 4:41pm

??? How should this happen? sys-whonix starts, when sys-net is restarted?
This can only be true, if sys-net depends on sys-whonix as network qube.
But the default is the other direction: sys-whonix depends on sys-firewall and sys-firewall depends on sys-net.
So in the default setup is: if you start sys-whonix, then sys-firewall will be autostarted. And because sys-firewall starts, sys-net will be autostarted.

Jedi · May 26, 2025, 5:05am

Yes, I understand all that. My issue is that when I rebooted sys-net and sys-firewall (after an update), sys-whonix turned off but not back on. This isn’t something I’ve experienced before.

Interestingly, when I go to recreate it (without an update involved), sys-whonix stays powered on.

Jedi · May 27, 2025, 6:54pm

Okay, it happened again. Upon rebooting my sys-net/usb/firewall after an upgrade, sys-whonix shuts down and doesn’t start back up. This did not happen before.

Upon looking at sys-whonix’s net qube, I see it was sys-firewall, not “default (sys-firewall).” I switched it to default to see if that changes any behavior going forward.

SteveC · May 28, 2025, 6:01pm

I’ll check the obvious. If this is obvious to you I apologize.

In the settings for a qube, there’s a checkbox for “autostart on startup” (or something equivalent; I’m not on my qubes system or I’d check) on the first tab.

Make sure that’s checked.

Jedi · May 29, 2025, 4:05am

It is

Interestingly, when I switched to “default (sys-firewall)” it started starting up again after a sys-firewall update.

There was a tip somewhere that I read where a guy said something like, "Now, to set this up, choose regular firewall, not “default.” I’d always wondered why he said that, but clearly they behave differently.

Jedi · May 29, 2025, 4:51am

Another weird quirk started (after switching to minimal sys-qubes). When I turn on my wireless mouse, two sys-usb dialog boxes pop up asking me if I want to accept the mouse (upon each booting of sys-usb).

On the one hand, I kind of like this. It feels like extra security. And also, it’s not like it’s annoying or anything. Two quick clicks and I’m done. But on the other hand, I would like the option for added convenience.

Now, when I nano

/etc/qubes-rpc/policy/qubes.USB

I see

$anyvm $anyvm deny

This seems like a clue, but I’ve never edited this file, so if it usually says “allow,” does that mean that by switching from the default sys-qube it was triggered to say deny?