Automate debian-minimal based template creation

In it’s current form the ‘note’ is about template creation, not qube creation (disposable templates). That’s of course something I also automate, especially for the disposable sys-qubes.

Thank you for the feedback, I’ll add a clarification and later a second ‘note’ on how to automate the creation of some common qubes.

@whoami as a rule of thumb: do it first manually in the actual cloned template, step-by-step and find/solve all issues this way. Then when you have a sequence that works, write the dom0-based shell script that reflects it.

If there is an issue with this specific debian-minimal based flatpack install thingy… make a separate thread for it please.

Yea, I did it like this, step-by-step. Wasn’t easy for me as ‘low-code-developer’

Anyways, I have made a template for the templates …

With this I am building up my scripts based on your explanations. I will publish it on Gitea and share the link in the coming days…

Looking forward to seeing that.

I just browsed through the https://github.com/a-barinov/liteqube . Wow, I do see no reason to continue my work when I see that we already have such a well structured and coded work.

I will pause my work on building my mini-templates. Instead, I will spend my time in reviewing the liteqube code and if I feel confident with the code I will work on the customization section.

If someone is interested in my current state of my mini-script just drop me a direct message.

I also studied Liteqube, I ran my eyes over the code and due to my limited understanding it did not confuse me.
I plan to install Kicksecure security patches over Liteqube, I’ll be sure to make a report.
But, I ran into problems during the installation phase, I tried to solve them, but I lack the understanding to read the scripts.

I’m waiting for your conclusions on code analysis

I agree, LiteQube looks really good. Will be checking it out.

I was partway through developing my own set of minimal scripts–actually most of the way–and I have about a zillion templates out there now (Inspired by sven, and I was trending towards pushing a script onto a qube template and letting it initialize itself rather than making a zillion calls to qvm-run). I don’t know how much I’ll be able to use this for AppVMs (though it looks like it may either solve some problems with my workflow or get me started learning what to do), but I can at least slim down the sys qubes!

Most of my other tweaks to the system have been in defaults and the Menu’s list of apps–I can write a script for the latter with what I know today (and this mostly affects AppVMs, not templates).

I tested Liteqube on my test machine, in my opinion it is still raw for an amateur like me, many small problems that had to be solved, also there was a problem when I decided to make 1 template on 1 vms, it worked but no-gui terminal did not want to run with templates that are not named “debian-core”. In addition I didn’t have enough knowledge to read the code, so I won’t risk to install it on my main machine.
The interesting thing about Liteqube is that it somehow transfers Xorg to another cube although I haven’t seen it start when I ran the tests, is there any way I can disable Xorg on my minimal templates?

I decided to finish my scripts following Sven’s instructions, but I have a desire to make debian-11-minimal even smaller like Liteqube does, from his posts on Reddit I learned that he additionally clears the minimal template, but going into the scripts I can’t find how exactly this is done. I will be glad if someone can tell me commands or packages which can be safely removed.

Thanks for reading

I would appreciate if you someone could review my template for minimal templates. Do not expect high-quality coding since my C++ course is more than 10 years ago…

Up to now, I did not use any helper scripts or functions. As proposed by Sven it would make sense to add a lib with some functions like feature-audio, feature-file-manager etc. or some “shortcuts”-functions like Liteqube to improve the code.

To use my template for minimal templates you basically just need to modify two code sections. The rest of the code is feedback, if and while loops to ensure proper settings and the possibility to do the customization via a terminal dialog. Personally, I also found it pretty useful for testing.

The template is here: template for minimal templates - Pastebin.com

For a quick preview that actually does nothing (no cloning, no installation) I made this: minimal template example - Pastebin.com

My goal would be to create a git with some fundamental VMs (net, firewall, vault, usb…)
A second group with commonly used VMs (office, printer, ssh, …)
And a third group with some special VMs (Monero wallet, git, syncthing, …)

I also wonder if it is possible to make a script for a minimal VPN template… Anyways, all this makes only sense if some community members would like to support this and fill in their minimal templates.

As @Sven already described, it could be used to help mini-templates-newbies to get started or use it as quick rebuild of a personal Qubes setup.

What do you think:
(as already stated several times) minimal templates != for Qubes newbies ?

Would it be beneficial to start with a git archive to collect, improve and maintain minimal templates?

@whoami I don’t think it’s a good idea to make these scripts available for several reasons:

• It trains/enables users to download and run bash scripts they do not read or understand – in dom0!

• Instead of teaching users how to build their own minimal templates and how to solve dependency problems, you’ll end up with lots of unskilled users being frustrated and blaming Qubes OS for being “not ready” / “too hard” when things don’t work immediately as they expected.

• These scripts will become stale quickly and need to be maintained.

• People will start complaining that you don’t provide a script for their favorite use case / application and “Qubes OS sucks!” etc.

It’s the good old “if you give a man a fish, you have fed him for a day, but if you teach him to fish, you have fed him for a lifetime” thing.

OK, a few things I’ve noticed about the Arkenfox profiles setup:

1. It reinstalls your plugins every time you open the window. This is very annoying because download helper always pops up a tab to congratulate you for installing it (after taking 5 to 10 seconds to re-download for the nth time). It generally pops up halfway through my typing the URL I am interested in, and of course it seizes keyboard focus mid-URL. I was trying to avoid gratuitous stupid tabs like this.

2. It seems like most of the web pages I visit just present me with a blank page. I then have to go into settings and re-enable everything that got disabled, though I never found a switch to (re) enable javascript (is it disabled?), so oftentimes that isn’t enough to do the job. (The only thing that seems to be under my control at runtime is cookie/tracking preferences.)

If this is a disposable template, why are we disabling that stuff? It supposedly CANNOT do us any lasting harm.

3. even though the settings clearly say google search, etc. aren’t being installed they still show up in the running window as choices. In fact, I haven’t figured out how to COMPLETELY DISABLE search from the address bar. [To be sure there may be no such way. Damn Firefox for putting that “feature” in and replacing autocompleting of an incomplete URL.] Oh, you can put a SEPARATE search bar in, but that doesn’t make the URL field NOT a search field. In fact, right now my address field (in a window I just opened) shows google, and everything else that’s supposedly disabled, as an option at the bottom of the dropdown when I put the cursor in the URL-and-dammit-search bar.

Part of the problem with this whole schema is if you don’t know what Firefox named the settings you can’t adjust the ones not already referenced in the template. That’s on Firefox for being obscure, though, not on anyone here.

So in sum, I wonder why I bothered with this. It gives me a non-functional page most of the time (blank when I visit a website) so I end up having to use a regular window to go visit, and it STILL isn’t clean by my lights.

You might want to give LibreWolf a try, instead of constantly fiddling with arkenfox.js and about:config settings of Firefox.

I will set LibreWolf as my new default Firefox for all my minimal templates. It is how Firefox should be by default.

Looks like it’s one of those doggone things you need “wget” to install.

wget or curl both do the same, both are no problem.

Just open the template terminal and follow the install routine. Make sure you have wget or curl installed (apt install -y curl wget).

http://127.0.0.1:8082/ is doing the magic.

curl should also work:

curl --proxy http://127.0.0.1:8082/ -s https://deb.librewolf.net/keyring.gpg | apt-key add -

As I recall there was some issue with exposing dom0 to the internet with that stuff.

You don’t install LIbreWolf to the dom0.

You don’t, but in order to install it ANYWHERE, don’t you have to expose dom0 for that stuff?

@Sven
I was reading your blog post about automating the debian templates.

I have a question regarding this line:
“[We set] the maxmem property to zero, which signals we do not want memory balancing.”

Why is this? From reading the
$ qvm-prefs --help-properties debian-11
and
$ man qvm-prefs
I see that maxmem allows the template (and the app-qubes based on that template) to dynamically adjust the memory allocated to them (starts with 400 MB and goes up to 4 GB).

Why do you suggest switching off this behavior for a deb-11-minimal template?

Nope, but you should know what you are doing. Best is to first clone your template (or even better using a minimal template) and install with http://127.0.0.1:8082/