Debian-10-minimal Configuration

I’m interested in converting as many of my Debian AppVMs as possible to debian-10-minimal-template to reduce their attack surface, and then documenting how to get to an ideal configuration for each qube function, so that other noob-intermediate users can also use the minimal template. The docs didn’t give me a good idea of how much tinkering would be required. So my question is twofold -

1. Would anybody be interested in collaborating to document Debian-10-minimal configuration for different popular qube uses? In short, making a debian equivalent to this community doc, as well as perhaps a ‘user-setup’ doc which provides a more detailed look, which has been done for Fedora (though outdated) here and here. (I am in the noob-intermediate user range, and don’t have an advanced understanding of Linux architecture). I’m also just interested in hearing more detail about the minimal template configuration different users have mentioned experimenting with @Sven @unman @fiftyfourthparallel

2. How have you had to minimally modify the debian-10-minimal-template for each of these Qube uses? I’ve sorted them by Networking setting:

Qubes with no networking:

• Vault (as per SplitGPG docs)
• Work-GPG (as per Advanced Split GPG using Subkeys)
• Personal-offline (for file storage, text editing, etc.)
• Sys-net (already well-described)
• Sys-USB (already well-described)
• default-mgmt-dvm (already well-described and here)

Qubes with Sys-firewall networking

• Work-email (as per Advanced Split GPG using Subkeys)
• Personal / Work (which comes with install using Fedora, and presumably has a pretty broad use, but lets say a bare minimum of text editing and Firefox)
• Debian-10-dvm
• StandAloneVM for installing software from outside of deb repos (Signal, Element, etc. - this qube will have a lot of variance of course…)

Qubes with Sys-net networking

• Sys-firewall (already well-described and here)

I’ve just included AppVMs I personally want to use Debian for, but please also include other Qube uses (for example, VPN - mine’s on my router).

Another way of framing the question - which Qube uses don’t make sense for a debian-10-minimal-template (if any)? Where do things usually start to break?

In Qubes 4.0, additional packages from the qubes-core-agent suite may be needed to make the customized minimal template work properly. (from Doc)

In your experience, which of these additional packages have proven necessary in different uses?

Do you find there are qubes where fedora-32-minimal-template is better suited?

For those interested in collaborating on documentation, perhaps github would be a better platform?

Thanks!

Hi. I would like to make a minor comment that could be useful for your efforts. Qubes documentation say that NetVM, such as the template for sys-net require qubes-core-agent-networking.
It fails to mention that ALL AppVM based on Debian need qubes-core-agent-networking to connect to the Internet, and is therefore an essential package for non-vault AppVMs.

Also, I could not find vim-minimal in the repository. It is listed as a commonly used utilities. Could it be the Fedora package name, and that the package has another name for Debian?

@adw documentation feedback

My d-10-m templates are as small as they can get (I’ve tried to probe for even smaller templates before), and I create a new template for every role and every security level. This means a lot of templates, which means a lot of time spent individually updating each if using the standard update procedure. In my case updates are handled through a single command using tasket’s qubes-update-all command with the appropriate modifiers.

As for what I install, it’s really just what’s written in the documentation since I’m not technical enough to do much more. So for all network-connecting qubes, install qubes-core-agent-networking, for all qubes that need audio output, install pulseaudio-qubes, etc. Occasionally I venture away from the documentation and install exfat-fuse and ntfs-3g, and once in a blue moon I go wild and do something like install firefox from the unstable repository (I can hear the gasps from the audience).

It’s all fairly straightforward–just start with a clean minimal template and add enough packages so it can do what you want it to, and add no more than that. The existing documentation has served me well, though it can be formatted for better readability.

My approach is slightly different - more of an “80-20”. I don’t consider myself under any serious threats, so simplicity is perhaps a bit more important than for others. Nevertheless, I appreciate the idea of reduced attack surface!

I don’t strip the d-10-m template at all, and the only thing I add to it is passwordless-root. I then create a d-base template and add the packages that for convenience or whatever I want in every template. d-base is actually useable with nothing else added for a few qubes…

Then as @fiftyfourthparallel for all other purposes I clone and add the software specific to the given purpose.

Still leads of course to a lot of templates. To handle updates more reasonably I use apt-cacher-ng to speed the regular Qubes Update (thanks @unman!).

Any and all contributions to documentation are welcome, including
formatting.

I also use minimal templates extensively, and some micro templates for
specific uses.
But, it cant be over stressed that minimal templates are meant to be
for advanced users, and carry a health warning to that effect.

In case you (or any others reading this) are not already aware, the documentation is a community effort, and everyone is welcome to contribute. (That’s how things like this get updated!) So, if you’d like to get involved with the project, this is a great way to do it. You can read more about how to submit documentation changes here:

1. Would anybody be interested in collaborating to document
   Debian-10-minimal configuration for different popular qube uses?

Sure, we should probably stage it here:
GitHub - Qubes-Community/Contents: Community documentation, code, links to third-party resources, ... See the issues and pull requests for pending content. Contributions are welcome ! and once it’s ready have a
conversation with @adw about if and where to contribute this to the main
documentation on the Qubes website.

I’ll post some of my configurations at the end of this comment as an
example to build on.

2. How have you had to minimally modify the
   debian-10-minimal-template for each of these Qube uses?

I pretty much have a template for each AppVM qube, with a few that are
used by multiple qubes (e.g. mail, browser). This might sound like a big
deal, but isn’t as these templates are very small and I use
apt-cacher-ng in sys-firewall so every updated package is only
downloaded once and then cached for all templates that need it.

The AppVMs based on them also require surprisingly little memory. Both
my sys-net and sys-usb run at 160 MB each. The mail (thunderbird) ones
run at < 600 MB.

Do you find there are qubes where fedora-32-minimal-template is
better suited?

No. I might not use fedora right, but I find its dependencies a mess.
There is no --no-install-recommends equivalent and the most innocent
install requests result in many extremely unnecessary packages being
installed. Also it’s not unusual to have several updates per day and
frequent version updates that actually break things. I am starting to
consider fedora as not stable.

Also caching fedora updates using apt-cacher-ng is far from straight
forward, but very useful if you want to have many templates. Finally the
fedora minimal template starts out already larger than debian minimal.

Some of my basic templates…
(apologies, the forum software is giving me a hard time pasting in some bash scripts here, the formatting get’s all messed up – I’ll follow-up tomorrow)

Personally, I would appreciate a short demo movie on: Let’s make a minimal debian-template in Qubes OS.

I never did a minimal-template so I am very interested in your docs. My support will be limited but I will do some “noob-intermediate” tests as soon as you have your docs ready

It’s fairly straightforward terminal work, so a short demo movie isn’t necessary.

Step 1: Download the desired minimal templates

Step 2: Update and upgrade the template(s) and make universal changes (changes that you want all your templates to inherit). An example of some universal changes would be enabling sudo prompt (which counterintuitively involves installing passwordless root and then disabling it) or enabling AppArmor. You can find out how to do those specific tasks elsewhere.

Step 3: Find out which packages are needed for the template to do what you want it to do (i.e. read the documentation)

Step 4: Clone your templates and install the appropriate packages, then configure settings. There’s not much special about this part except for PCI VMs like sys-usb and sys-net, where you have to alter kernel options and service settings. This is all covered in the documentation.

Before I actually used minimal templates, I was expecting to do a lot of difficult things to get them working, but it turns out it’s simple. If you know your way around basic Linux commands and the basics that are covered in the documentation, it’s child’s play. If you don’t know basic Linux commands I wouldn’t recommend using minimal templates (the basic Linux commands involved are so easy, even I know how to use them–you could probably learn them in 30 mins).

Thanks. I will try this as soon as I some free time.

Ok, so I had to change the format of this summary to make it work with the forum. All commands you see here are meant to be done in dom0 terminal.

1. Installing debian-10-minimal…

   sudo qubes-dom0-update qubes-template-debian-10-minimal
   

2. clone and setup your own minimal template

   qvm-clone debian-10-minimal tpl-deb-10-min
   

• If you have a HiDPI display, you might want to set the dpi early at this step to avoid having to do it over and over in derived templates:

  qvm-run --pass-io -u root tpl-deb-10-min 'echo "Xft.dpi: 144" >> /etc/X11/Xresources/x11-common'
  

• If you are using apt-cacher-ng already, you will need these lines (if you don’t know what that is, skip it)

  qvm-run --pass-io -u root tpl-deb-10-min "sed -i -- 's/https:\/\//http:\/\/HTTPS\/\/\//g' /etc/apt/sources.list"
  
  qvm-run --pass-io -u root tpl-deb-10-min "sed -i -- 's/https:\/\//http:\/\/HTTPS\/\/\//g' /etc/apt/sources.list.d/*.list"
  

• Run all updates:

  qvm-run --pass-io -u root tpl-deb-10-min "apt update && apt full-upgrade -y"
  

• I don’t do this, but if you want password-less sudo in your qubes, run this:

  qvm-run --pass-io -u root tpl-deb-10-min "apt install --no-install-recommends qubes-core-agent-passwordless-root -y"
  

• I like XTerm, so I am setting it as default template and shutdown the template:

  qvm-run --pass-io -u root tpl-deb-10-min "update-alternatives --set x-terminal-emulator /usr/bin/xterm && poweroff"
  

3. I don’t like keeping installed templates around and we already made our own clone … so now remove the installed template.

   sudo dnf remove qubes-template-debian-10-minimal
   

4. Let’s make the template for sys-net

   • we need network: qubes-core-agent-networking
   • and the network manager to select WiFi networks: qubes-core-agent-network-manager
   • gnome-keyring is needed for the network manager to remember WiFi passwords
   • firmware-iwlwifi is needed for my WiFi adapter, so this differs from device to device. If your WiFi is from Intel there is a good chance this will work.

   qvm-clone tpl-deb-10-min tpl-deb-10-sys-net
   
   qvm-run --pass-io -u root tpl-deb-10-sys-net "apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-network-manager gnome-keyring firmware-iwlwifi -y && poweroff"
   

5. Now the template for sys-usb

   • qubes-usb-proxy is needed wherever you’ll want to use USB
   • qubes-input-proxy-sender is needed if you want to use a USB mouse / keyboard
   • nautilus & zenity needed to have GUI support in e.g. Qubes backup
   • policykit-1 and libblockdev-crypto2 needed to mount encrypted drives
   • ntfs-3g needed to be able to mount NTFS formatted drives

   qvm-clone tpl-deb-10-min tpl-deb-10-sys-usb
   
   qvm-run --pass-io -u root tpl-deb-10-sys-usb "apt install --no-install-recommends qubes-usb-proxy qubes-input-proxy-sender qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 ntfs-3g -y && poweroff"
   

6. A template for sys-firewall

   • obviously we need networking: qubes-core-agent-networking
   • and we want to make dom0 updates using sys-firewall: qubes-core-agent-dom0-updates
   • apt-cacher-ng to be able to cache updates (see https://github.com/unman/notes/blob/master/apt-cacher-ng) … this is optional but very helpful if you have many templates
   • when installing apt-cacher-ng there is a interactive setup, so all the extra stuff in this install command is to suppress that and go with the default.

   qvm-clone tpl-deb-10-min tpl-deb-10-sys-firewall
   
   qvm-run --pass-io -u root tpl-deb-10-sys-firewall "DEBIAN_FRONTEND='noninteractive' apt-get -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' install --no-install-recommends qubes-core-agent-networking qubes-core-agent-dom0-updates apt-cacher-ng"
   
   qvm-run --pass-io -u root tpl-deb-10-sys-firewall "systemctl mask apt-cacher-ng && poweroff"
   
   qvm-features tpl-deb-10-sys-firewall qubes-firewall 1
   

7. template to base the management dvm on

   • needs qubes-core-agent-passwordless-root and qubes-mgmt-salt-vm-connector

   qvm-clone tpl-deb-10-min tpl-deb-10-sys-mgmt
   
   qvm-run --pass-io -u root tpl-deb-10-sys-mgmt "apt install --no-install-recommends qubes-core-agent-passwordless-root qubes-mgmt-salt-vm-connector -y && poweroff"
   

8. my vault template

   • gnupg & qubes-gpg-split obviously
   • keepassx is optional, but I like my password manager to be in the vault
   • qt5-style-plugins, gtk2-engines-murrine and QT_QPA_PLATFORMTHEME=gtk2 are needed to make keepassx obey the system theme

   qvm-clone tpl-deb-10-min tpl-deb-10-vault
   
   qvm-run --pass-io -u root tpl-deb-10-vault "apt install --no-install-recommends gnupg qubes-gpg-split keepassx qt5-style-plugins gtk2-engines-murrine -y"
   
   qvm-run --pass-io -u root tpl-deb-10-vault 'echo "QT_QPA_PLATFORMTHEME=gtk2" >> /etc/environment && poweroff'
   

9. template for mail qubes

• obviously we need network
• having a GUI file manager is convenient to deal with attachments, but it’s not needed (you can do all from terminal too)
• qubes-gpg-split & libgpgme11 needed by OpenPGP in Thunderbird

qvm-clone tpl-deb-10-min tpl-deb-10-mail
qvm-run --pass-io -u root tpl-deb-10-mail “apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 qubes-gpg-split thunderbird libgpgme11 -y && poweroff”

10. template for web browsing qubes

• network
• nautilus to deal with downloads
• pulseaudio-qubes to allow for audio
• firefox obviously

qvm-clone tpl-deb-10-min tpl-deb-10-browser

qvm-run --pass-io -u root tpl-deb-10-browser “apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 pulseaudio-qubes firefox-esr -y && poweroff”

11. template for signal messenger

• network
• nautilus to deal with downloads
• dunst is needed for signal notifications, if no notification service is provided signal will hang
• curl is needed to download the key for signal

qvm-clone tpl-deb-10-min tpl-deb-10-signal

qvm-run --pass-io -u root tpl-deb-10-signal “apt install --no-install-recommends curl qubes-core-agent-networking qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 dunst -y”

• get the signing key and add it (replace the http://HTTPS/// with a simple https:// in case you are not using apt-cacher-ng)

qvm-run --pass-io -u root tpl-deb-10-signal “curl --proxy http://127.0.0.1:8082/ -s http://HTTPS///updates.signal.org/desktop/apt/keys.asc | apt-key add -”

• add the signal repository (replace the http://HTTPS/// with a simple https:// in case you are not using apt-cacher-ng)

qvm-run --pass-io -u root tpl-deb-10-signal ‘echo “deb [arch=amd64] http://HTTPS///updates.signal.org/desktop/apt xenial main” | tee -a /etc/apt/sources.list.d/signal-xenial.list’

• update & install

qvm-run --pass-io -u root tpl-deb-10-signal “apt update && apt full-upgrade -y && apt install --no-install-recommends signal-desktop -y && poweroff”

12. libreoffice and evince template (offline dvm)

qvm-clone tpl-deb-10-min tpl-deb-10-office

• libreoffice from backports to get HiDPI toolbar icons: adding backports repository (skip if you are fine with the standard libreoffice that comes with debian 10)

qvm-run --pass-io -u root tpl-deb-10-office ‘echo “deb http://HTTPS///deb.debian.org/debian buster-backports main” > /etc/apt/sources.list.d/debian-backports.list’

• nautilus for file management
• audio & USB support
• evince for PDFs

qvm-run --pass-io -u root tpl-deb-10-office “apt update && apt install --no-install-recommends qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 pulseaudio-qubes qubes-usb-proxy evince -y”

• if you don’t want to use backports, just run the following command without the -t buster-backports parameter:

qvm-run --pass-io -u root tpl-deb-10-office “apt -t buster-backports install --no-install-recommends libreoffice libreoffice-gtk3 libreoffice-style-elementary -y && poweroff”

When you have many templates (the above are just a sample of what I have), you might want to also write a bash script to run updates. It certainly beats the Qubes Update Manager in its current form:

qvm-run -u root --pass-io tpl-deb-10-min “apt update && apt full-upgrade -y && apt autoremove -y && apt autoclean -y && poweroff”

… etc.

I learned a lot of new tricks from this post–thank you for taking the time to make it.

Minor nitpicks: The wording for the first line makes it sound like you’ll need to install qubes-usb-proxy on every vm you intend to mount USB on–this is not the case. This is most likely not what you intended, but I just wanted to clarify something that might confuse a complete newbie.

I’ve never had to install exfat-fuse or ntfs-3g in my sys-usb since drives are never mounted there–those packages are installed in the app-vms. Since my drives work fine, it’s likely this is unnecessary (but of minimal impact in terms of security). I haven’t tried mounting encrypting drives but I suspect it’s the same.

sys-net and sys-usb

Maybe I’m confusing this with disposable sys-vms, but for PCI HVMs I switch off meminfo writer (qvm-services [qube] meminfo-writer off) and add iommu=soft swiotlb=8192 to kernelopts (on top of what’s already there).

Also, I think I’ve found a bug with security ramifications while checking settings for this–I recently switched to the 5.10 kernel for my default VM kernel. When I checked my kernelopts just then, all of my kernelopts in all of my VMs (except Whonix) have been cleared. This means that apparmor was shut off for a while without me knowing it.

Minor nitpicks: The wording for the first line makes it sound like
you’ll need to install qubes-usb-proxy on every vm you intend to
mount USB on–this is not the case. This is most likely not what
you intended, but I just wanted to clarify something that might
confuse a complete newbie.

In my experience this package is needed in every VM you want to assign
USB devices to (e.g. printer, USB microphone, iPhone, Kindle etc.). This
is different from assigning a USB stick as a block device.

I’ve never had to install exfat-fuse or ntfs-3g in my sys-usb
since drives are never mounted there–those packages are installed
in the app-vms. Since my drives work fine, it’s likely this is
unnecessary (but of minimal impact in terms of security). I haven’t
tried mounting encrypting drives but I suspect it’s the same.

I usually mount drives in sys-usb and then send/receive files from/to
there via the respective Qubes OS function. And obviously I mount my
encrypted backup drive in sys-usb. Just different uses than yours.

Maybe I’m confusing this with, but> for PCI HVMs I switch off meminfo
writer (qvm-services [qube] meminfo-writer off) and add iommu=soft swiotlb=8192 to kernelopts (on top of what’s already there).

I do to, however not to the template with is always PVH. My post
concentrated on templates, but I can share similar scripts for setting
up qubes. However, the basic tools are the same so it would be
repetitive to post it here.

Also: I am aware I am supposed to do all of this with salt. But I
haven’t had the time/energy yet to learn how.

I had no idea! I’ve only ever used block devices with Qubes, so that didn’t occur to me. Sorry about that.

I haven’t bothered with salt either, but I suspect it’ll save me a ton of time when I set up new Qubes PCs since I’m typing everything in all the time. Tasket’s findpref script helps with this:

Dom0: Find all VMs that match a pref value, optionally set new values for them. For example, its a handy way to switch all VMs that are using a particular netvm to a different netvm.

@fiftyfourthparallel Ok, this is too much work more me now. I just have Qubes with all the nice features running smoothly: split GPG, split SSH, Yubikey, VPNs … and the most frustrating part the sys-usb (working with an external keyboard). I will follow this topic but I will wait for my next notebook to go with the minimal setup. With that I avoid an open heart (OS) surgery.

@Sven
Thanks for the scripts - I salt everything,as you may know.
I’m in the process of posting almost all my salt formulae, (except
obvious identifiers). I’ll post a link later.

Thank You Sven, for creating this guide for us and behemothwerecat for initiating the thread. Can you please tell me what policykit-1 and libblockdev-crypto2 do for a browser template?

Strictly for the browser you need:

* qubes-core-agent-networking obviously
* pulseaudio-qubes assuming you want to consume audio/video
* firefox-esr

If you’d like to have the nautilus file manager in addition to interact
with downloaded files via GUI instead of “just” XTerm:

* nautilus
* qubes-core-agent-nautilus for Qubes specific functionality
* zenity if you want to see the progress dialog while sending files to 

other qubes

And then, if you plan on mounting encrypted drives:

* gnome-keyring to manage the password (optional)
* policykit-1 (this was somehow needed to make it work...)
* libblockdev-crypto2 (...as was this)

This last part I have to admit I pasted in there without much thought
and I actually never do that in a browser based AppVM. So it would be
safe to remove – which I will do. Thanks for catching that!

/Sven

Actually, after removing it I found out what I need it for … when I mount my eInk Kindle I cannot access it without polkit installed. I don’t know why that is.