Debian-10-minimal Configuration

User Support
12

Ok, so I had to change the format of this summary to make it work with the forum. All commands you see here are meant to be done in dom0 terminal.

  1. Installing debian-10-minimal…

    sudo qubes-dom0-update qubes-template-debian-10-minimal

  2. clone and setup your own minimal template

    qvm-clone debian-10-minimal tpl-deb-10-min

  • If you have a HiDPI display, you might want to set the dpi early at this step to avoid having to do it over and over in derived templates:

    qvm-run --pass-io -u root tpl-deb-10-min 'echo "Xft.dpi: 144" >> /etc/X11/Xresources/x11-common'

  • If you are using apt-cacher-ng already, you will need these lines (if you don’t know what that is, skip it)

    qvm-run --pass-io -u root tpl-deb-10-min "sed -i -- 's/https:\/\//http:\/\/HTTPS\/\/\//g' /etc/apt/sources.list"

qvm-run --pass-io -u root tpl-deb-10-min "sed -i -- 's/https:\/\//http:\/\/HTTPS\/\/\//g' /etc/apt/sources.list.d/*.list"

  • Run all updates:

    qvm-run --pass-io -u root tpl-deb-10-min "apt update && apt full-upgrade -y"

  • I don’t do this, but if you want password-less sudo in your qubes, run this:

    qvm-run --pass-io -u root tpl-deb-10-min "apt install --no-install-recommends qubes-core-agent-passwordless-root -y"

  • I like XTerm, so I am setting it as default template and shutdown the template:

    qvm-run --pass-io -u root tpl-deb-10-min "update-alternatives --set x-terminal-emulator /usr/bin/xterm && poweroff"

  1. I don’t like keeping installed templates around and we already made our own clone … so now remove the installed template.

    sudo dnf remove qubes-template-debian-10-minimal

  2. Let’s make the template for sys-net

    • we need network: qubes-core-agent-networking
    • and the network manager to select WiFi networks: qubes-core-agent-network-manager
    • gnome-keyring is needed for the network manager to remember WiFi passwords
    • firmware-iwlwifi is needed for my WiFi adapter, so this differs from device to device. If your WiFi is from Intel there is a good chance this will work.
    qvm-clone tpl-deb-10-min tpl-deb-10-sys-net

qvm-run --pass-io -u root tpl-deb-10-sys-net "apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-network-manager gnome-keyring firmware-iwlwifi -y && poweroff"

  3. Now the template for sys-usb

    • qubes-usb-proxy is needed wherever you’ll want to use USB
    • qubes-input-proxy-sender is needed if you want to use a USB mouse / keyboard
    • nautilus & zenity needed to have GUI support in e.g. Qubes backup
    • policykit-1 and libblockdev-crypto2 needed to mount encrypted drives
    • ntfs-3g needed to be able to mount NTFS formatted drives
    qvm-clone tpl-deb-10-min tpl-deb-10-sys-usb

qvm-run --pass-io -u root tpl-deb-10-sys-usb "apt install --no-install-recommends qubes-usb-proxy qubes-input-proxy-sender qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 ntfs-3g -y && poweroff"

  4. A template for sys-firewall

    • obviously we need networking: qubes-core-agent-networking
    • and we want to make dom0 updates using sys-firewall: qubes-core-agent-dom0-updates
    • apt-cacher-ng to be able to cache updates (see https://github.com/unman/notes/blob/master/apt-cacher-ng) … this is optional but very helpful if you have many templates
    • when installing apt-cacher-ng there is a interactive setup, so all the extra stuff in this install command is to suppress that and go with the default.
    qvm-clone tpl-deb-10-min tpl-deb-10-sys-firewall

qvm-run --pass-io -u root tpl-deb-10-sys-firewall "DEBIAN_FRONTEND='noninteractive' apt-get -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' install --no-install-recommends qubes-core-agent-networking qubes-core-agent-dom0-updates apt-cacher-ng"

qvm-run --pass-io -u root tpl-deb-10-sys-firewall "systemctl mask apt-cacher-ng && poweroff"

qvm-features tpl-deb-10-sys-firewall qubes-firewall 1

  5. template to base the management dvm on

    • needs qubes-core-agent-passwordless-root and qubes-mgmt-salt-vm-connector
    qvm-clone tpl-deb-10-min tpl-deb-10-sys-mgmt

qvm-run --pass-io -u root tpl-deb-10-sys-mgmt "apt install --no-install-recommends qubes-core-agent-passwordless-root qubes-mgmt-salt-vm-connector -y && poweroff"

  6. my vault template

    • gnupg & qubes-gpg-split obviously
    • keepassx is optional, but I like my password manager to be in the vault
    • qt5-style-plugins, gtk2-engines-murrine and QT_QPA_PLATFORMTHEME=gtk2 are needed to make keepassx obey the system theme
    qvm-clone tpl-deb-10-min tpl-deb-10-vault

qvm-run --pass-io -u root tpl-deb-10-vault "apt install --no-install-recommends gnupg qubes-gpg-split keepassx qt5-style-plugins gtk2-engines-murrine -y"

qvm-run --pass-io -u root tpl-deb-10-vault 'echo "QT_QPA_PLATFORMTHEME=gtk2" >> /etc/environment && poweroff'

  7. template for mail qubes

  • obviously we need network
  • having a GUI file manager is convenient to deal with attachments, but it’s not needed (you can do all from terminal too)
  • qubes-gpg-split & libgpgme11 needed by OpenPGP in Thunderbird

qvm-clone tpl-deb-10-min tpl-deb-10-mail
qvm-run --pass-io -u root tpl-deb-10-mail “apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 qubes-gpg-split thunderbird libgpgme11 -y && poweroff”

  1. template for web browsing qubes
  • network
  • nautilus to deal with downloads
  • pulseaudio-qubes to allow for audio
  • firefox obviously

qvm-clone tpl-deb-10-min tpl-deb-10-browser

qvm-run --pass-io -u root tpl-deb-10-browser “apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 pulseaudio-qubes firefox-esr -y && poweroff”

  1. template for signal messenger
  • network
  • nautilus to deal with downloads
  • dunst is needed for signal notifications, if no notification service is provided signal will hang
  • curl is needed to download the key for signal

qvm-clone tpl-deb-10-min tpl-deb-10-signal

qvm-run --pass-io -u root tpl-deb-10-signal “apt install --no-install-recommends curl qubes-core-agent-networking qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 dunst -y”

  • get the signing key and add it (replace the http://HTTPS/// with a simple https:// in case you are not using apt-cacher-ng)

qvm-run --pass-io -u root tpl-deb-10-signal “curl --proxy http://127.0.0.1:8082/ -s http://HTTPS///updates.signal.org/desktop/apt/keys.asc | apt-key add -”

  • add the signal repository (replace the http://HTTPS/// with a simple https:// in case you are not using apt-cacher-ng)

qvm-run --pass-io -u root tpl-deb-10-signal ‘echo “deb [arch=amd64] http://HTTPS///updates.signal.org/desktop/apt xenial main” | tee -a /etc/apt/sources.list.d/signal-xenial.list’

  • update & install

qvm-run --pass-io -u root tpl-deb-10-signal “apt update && apt full-upgrade -y && apt install --no-install-recommends signal-desktop -y && poweroff”

  1. libreoffice and evince template (offline dvm)

qvm-clone tpl-deb-10-min tpl-deb-10-office

  • libreoffice from backports to get HiDPI toolbar icons: adding backports repository (skip if you are fine with the standard libreoffice that comes with debian 10)

qvm-run --pass-io -u root tpl-deb-10-office ‘echo “deb http://HTTPS///deb.debian.org/debian buster-backports main” > /etc/apt/sources.list.d/debian-backports.list’

  • nautilus for file management
  • audio & USB support
  • evince for PDFs

qvm-run --pass-io -u root tpl-deb-10-office “apt update && apt install --no-install-recommends qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 pulseaudio-qubes qubes-usb-proxy evince -y”

  • if you don’t want to use backports, just run the following command without the -t buster-backports parameter:

qvm-run --pass-io -u root tpl-deb-10-office “apt -t buster-backports install --no-install-recommends libreoffice libreoffice-gtk3 libreoffice-style-elementary -y && poweroff”

When you have many templates (the above are just a sample of what I have), you might want to also write a bash script to run updates. It certainly beats the Qubes Update Manager in its current form:

qvm-run -u root --pass-io tpl-deb-10-min “apt update && apt full-upgrade -y && apt autoremove -y && apt autoclean -y && poweroff”

… etc.

25 Likes