Automate debian-minimal based template creation

Yep, that’s another way of doing it, and quite feasible for me, actually.

My big script defines two prefixes now: deb11m and deb11a. m stands for minimal, and a for app. Now the 11a templates ultimately spring from the minimal template but they all start with so much stuff it didn’t seem right to me to continue to call it 11m. (Basically 11a is the bare minimum I’d want to deal with as a user.) Also, they alphabetize cleanly into two groups: templates for system level VMs, and templates for “user level” VMs–handy in menus and the manager (which I do use a lot since it shows me multiple VMs at once and it’s easy to do a side-by-side comparison (even if it’s actually over-and-under).

I could always just change these two to something different (then next time change them back) and I’d be close to what you’re saying at least in concept.

I thought I had read this entire thread, but I must have got overloaded because I didn’t remember the prior description you referenced. Sorry about that!

I agree about salt. It looks like it could be wonderful, but I simply can’t understand the documentation because it talks about entities (columns, etc.) without relating them to what it is I am actually trying to configure (and if it’s not something made for Qubes that is quite understandable, but doesn’t make it easier). What corresponds to a VM Template I am trying to create? I dunno.

Lots of food for thought here; thanks!

I finally got to this

Unfortunately, no matter how many hoops I jump through the damn thing is unfindeable.

When I try to issue wget, it first tells me I already have the key ring then it says it can’f find ‘

I wish people would just use a damn regular install sequence instead of overcomplicating it with this crap.

1 Like

I thought it is not worth to open a new topic on this and since it is part of my auto deb-mini tpl script I place it here.

I tried to make a generic function for gpg key download and apt update. Beside the well known Signal case, I picked Sublime and Librewolf. Now, I wonder about their installation instructions.


(Installation on Debian based systems – LibreWolf)

wants to save the gpg key to

and for the apt it is suggesting a .sources file
with a Signed-By: /usr/share/keyrings/librewolf.gpg link.


(Linux Package Manager Repositories)

gpg key instructions points to

and the apt wants a .list

My question what are the differences? Why, historical reasons, more generic, more robust…? Any pro and cons?

Any pro cons related to Qubes OS, or minimal templates?


1 Like

ok, found it:

side note: apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.

1 Like

Thank you for doing this @Sven. Already recreated most of my qubes using this method. Very easy to modify and create templates as needed. Hopefully this method works into the foreseeable future.


Hi mini-template users,
what do you think about a simple table which helps everyone to find the proper packages?

Something like:

Program or Feature: Signal
Required package:

  • curl : required to download the gpg key for the apt repository
  • qubes-core-agent-networking : to allow internet access
  • qubes-core-agent-nautilus : …
  • nautilus : …
  • zenity : …
  • gnome-keyring : …
  • policykit-1 : …
  • libblockdev-crypto2 : …
  • dunst : …

Qubes OS release: 4.1
Debian release: 11
Comments: …


I think that’s a good idea. How would one go around documenting the required packages on a debian/fedora system? Does apt/dnf offer such a table view?

You mean somethimg like this?

Yeah, this was my inspiration. But now, I am looking for a place to store this is a more structured way. Maybe a kind of table. I would skip the customized base line template since this will be very individual but the other elementary qubes (network, usb…) and the “application” qubes could be documented in a predefined table or matrix.

If I find some supporter I would like to ask the community to add and maintain / verify the packages over time.

i.e. if you know how to make minimal template for Signal you should be able to clone it for Session, Threema, Element… with that we extend the list easily and new mini tpl users get a good structure to start with.


@whoami … start a wiki post in this category and go for it.


Ok, maybe I overlooked something. Is there a wiki option here? Do I have permission to enable it?

Under each post there is a button with three dots, when you click it the options expand. Then click the wrench and see if there is a “make wiki” option. Once that’s enabled everyone can edit that post.

So you could start a new thread, make the first post a wiki and start documenting. That’s how e.g. the community-recommended list works.

As an example, I made this post a wiki … so you should be able to edit it.

Edit: I edited this.

I’ve checked just now, @Sven, and there is no option for make wiki on or in relation to the three dots after each post (expanded a few, no wrench either) and your post has an addition to the post which comes from what you did (little icon next to the area your post depicts the time since your post was made & an icon plus the text Edit beneath where a person would presumably modify your post) but it’s unclear how any of us would achieve that. Maybe you see things differently because of your status?

@deeplow which TL is required to edit Wiki posts?

Trust level 1 to edit. Trust level 3 to create. Sorry for the delay.

1 Like

I just created one for you here: Mini-templates Required Packages (Wiki)

Let me know if you have any issues.

1 Like

Question about apt-cacher:

For an automated minimal template script I wonder where to set the apt-cacher setup and configuration.

Doing all templates first and then at the very end setup the apt-cacher and do the sed command in all templates (one-by-one)?

Or make the apt-cacher installation at the very beginning of the script? But then how to deal with the baseline (customized) template? How to install and update the packages of baseline template?

In other words, what is your installation order of your automated script when you run it on a fresh and empty Qubes installation?

(one more)
I am looking for a scriptable solution to automate the Application selection.

If I run my template creation process and afterward my AppVM I still have to add the program to the Selected List (Q > Qubes > Qubes Settings > Application Tab > select and move > confirm with OK). I could not find a qvm- command for this and the App menu shortcut troubleshooting | Qubes OS did not show a solution for the selection (only for the application list).

1 Like

Here’s my take - I install the caching proxy on install, and immediately
reconfigure the templates.
That way any cloned templates are ready to work with the cacher.
The fact I do this with salt is immaterial - I did the same when working
with scripts.
The only time you have to hit a new template is if it is freshly
installed. I have a salt state for that but you can keep a script to do
it with qvm-run.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
1 Like

My current setup is (for a fresh and empty installation).

install debian-11-minimal
clone minimal template and modify (=deb-11-m-base)

clone and create new templates
and AppVMs

create and config apt-cacher
search for all (mini) templates
and loop the sed command for all (mini) templates