Apt-cache-ng/cacher proxy question

qEawma5f · March 27, 2025, 1:26am

Hi,

I’m trying to set up a cacher using this guide: shaker/cacher at main · unman/shaker · GitHub. I’m confused about whether to set the netvm to a VPN or sys-whonix. For those who have used the cacher, what do you recommend for the netvm?

Thanks!

unman · March 27, 2025, 1:54am

Hi. You can set the netvm to whatever best suits your use case.
I dont use whonix, but I do route traffic over Tor.
The choice is entirely up to you.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

qEawma5f · March 27, 2025, 9:30pm

Hello,

Thank you for your response.

Do you have Tor running within the cacher, or is sys-whonix the only netvm you are using?

I came across this discussion: sys-cacher questions · Issue #122 · ben-grande/qusal · GitHub, where @ben-grade recommended against using sys-whonix as a netvm or running Tor inside it. What do you think?

unman · March 28, 2025, 12:02am

I’m not a believer in mixing up things, so I wouldn’t run Tor in a cacher
qube.
I dont use Whonix, but I do run Tor proxies.
I place cacher downstream from a Tor proxy.

I dont see why you wouldn’t place cacher downstream from sys-whonix. This
looks wrong to me.
You can no longer run Tor over Tor, so you cant have any repo definitions
that use tor+https - you’d need to amend them just like you amend any
definitions that use https://.
Something like this would work in these cases:
sed -i s^tor+https://^http://HTTPS///^ REPO_DEFINITION
or
sed -i s^tor+http://^http://^ REPO_DEFINITION

Placing the caching proxy depends entirely on your needs.
Need to use Tor? Set the netvm as sys-whonix.
Need to use a VPN? Set the netvm to the VPN proxy.
Need both? i think you’ll see where this is going.
Need neither? Just set netvm as sys-firewall.

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.

qEawma5f · April 5, 2025, 12:22am

Hi @unman

I’ve successfully set up the cacher, and everything is functioning properly. However, I’m getting an error with the Fedora 41 templates. I tried to remove them from the cacher, but the error persists.

 >>> Curl error (56): Failure when receiving data from the peer for https://codecs.fedoraproject.org/openh264/41/x86_64/os/repodata/repomd.xml 
>>> Curl error (56): Failure when receiving data from the peer for https://codecs.fedoraproject.org/openh264/41/x86_64/os/repodata/repomd.xml 
>>> Curl error (56): Failure when receiving data from the peer for https://codecs.fedoraproject.org/openh264/41/x86_64/os/repodata/repomd.xml 
>>> Curl error (56): Failure when receiving data from the peer for https://codecs.fedoraproject.org/openh264/41/x86_64/os/repodata/repomd.xml

qEawma5f · April 5, 2025, 7:46pm

Solved by changing the fedora-cisco-openh264.repo to

baseurl=http://HTTPS///codecs.fedoraproject.org/openh264/41/x86_64/os/

qEawma5f · April 5, 2025, 8:56pm

Now I’m stuck with flathub, is there a possibility to set that up with flatpak?
@solene @unman

solene · April 5, 2025, 8:58pm

I wrote a guide explaining how to use a reverse proxy to cache flatpak updates, it could easily be adapted to qubes os

Mirai · April 5, 2025, 9:28pm

Did not know setting up an update cache is this easy. Would be awesome if you could adapt it to Qubes

qEawma5f · April 6, 2025, 12:13am

I’ve ran this command

flatpak remote-modify flathub --url=http://my-cache.local:8082/repo/`

When I try to install a package, I get a 403 error, which is weird. I thought it was tor, but it was working fine without a cacher so I’m a bit lost can’t find anything on the internet too…

marcos-morar · February 8, 2026, 11:09am

Unable to set up apt-cacher for Whonix templates

When running this command:

sudo qubesctl --skip-dom0 --templates state.apply cacher.change_templates

I get the following errors on the Whonix templates:

whonix-workstation-18: ERROR (exit code 20, details in /var/log/qubes/mgmt-whonix-workstation-18.log)
whonix-gateway-18: ERROR (exit code 20, details in /var/log/qubes/mgmt-whonix-gateway-18.log)

The log for whonix-workstation-18 is as follows:

/var/log/qubes/mgmt-whonix-workstation-18.log

2026-02-08 15:24:15,702 calling 'state.apply cacher.change_templates'...
2026-02-08 15:25:18,349 output: whonix-workstation-18:
2026-02-08 15:25:18,349 output:
2026-02-08 15:25:18,349 output: Summary for whonix-workstation-18
2026-02-08 15:25:18,349 output: -----------
2026-02-08 15:25:18,349 output: Succeeded: 0
2026-02-08 15:25:18,349 output: Failed:   0
2026-02-08 15:25:18,349 output: -----------
2026-02-08 15:25:18,349 output: Total states run:    0
2026-02-08 15:25:18,349 output: Total run time:  0.000 ms
2026-02-08 15:25:18,349 output: /usr/lib/python3.14/site-packages/salt/template.py:74: DeprecationWarning: codecs.open() is deprecated. Use open() instead.
2026-02-08 15:25:18,350 output:   with codecs.open(template, encoding=SLS_ENCODING) as ifile:
2026-02-08 15:25:18,350 output: /usr/lib/python3.14/site-packages/salt/template.py:74: DeprecationWarning: codecs.open() is deprecated. Use open() instead.
2026-02-08 15:25:18,350 output:   with codecs.open(template, encoding=SLS_ENCODING) as ifile:
2026-02-08 15:25:18,350 output: /usr/lib/python3.14/site-packages/salt/template.py:74: DeprecationWarning: codecs.open() is deprecated. Use open() instead.
2026-02-08 15:25:18,350 output:   with codecs.open(template, encoding=SLS_ENCODING) as ifile:
2026-02-08 15:25:18,350 output: /usr/lib/python3.14/site-packages/salt/template.py:74: DeprecationWarning: codecs.open() is deprecated. Use open() instead.
2026-02-08 15:25:18,350 output:   with codecs.open(template, encoding=SLS_ENCODING) as ifile:
2026-02-08 15:25:18,350 output: /usr/lib/python3.14/site-packages/salt/template.py:74: DeprecationWarning: codecs.open() is deprecated. Use open() instead.
2026-02-08 15:25:18,350 output:   with codecs.open(template, encoding=SLS_ENCODING) as ifile:
2026-02-08 15:25:18,350 output: /usr/lib64/python3.14/multiprocessing/resource_tracker.py:396: UserWarning: resource_tracker: There appear to be 1 leaked semaphore objects to clean up at sh>
2026-02-08 15:25:18,350 output:   warnings.warn(
2026-02-08 15:25:18,350 exit code: 20

Additionally, Kicksecure gave a strange error:

kicksecure-18-vpn: ERROR (exception Snapshot origin LV vm-fedora-43-xfce-root not found in Volume group qubes_dom0.)

What does a Fedora-43 snapshot have to do with Kicksecure?

What should I do now?

I have many clones of Whonix Workstation, so I desperately need the cacher to work for Whonix.

One more thing: in the readme of the apt-cacher on github, @unman
wrote that Fedora templates need a few tweaks to work, but the specific tweaks were not mentioned. What are they?

unman · February 8, 2026, 12:30pm

Whonix is not supported - there was discussion of this some time ago,
and it was decided against.

I have no idea.

The proxy only affects updating of templates. Do you have many clones of
Whonix templates? IS this supported?

If you look in the salt you will see that changes are made to the repo
definitions, and there is extensive remapping of Fedora mirrors to try
to get maximum caching.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

marcos-morar · February 8, 2026, 2:19pm

Well then how can I undo it now? because I needed it mostly for whonix.

Is there a script to uninstall it completely?