Debian-10-minimal Configuration

They are preferable at least when the user does not want to deal with configuration at all and just wants to use the system :slight_smile: (and the threat model is less strict of course)

I have come to appreciate Debian over Fedora in general for:

  • longer release cycles / less upgrades
  • more stability

That is true for all Debian templates. If one doesn’t have the need or inclination to configure many minimal-based templates, Debian full is certainly a good choice.

2 Likes

Hello @Sven . Thanks for your posts here, I was now able to change most of the templates to debian-10-minimal and that is just great.

Did you create a template with all programs as “Disposable VM Template”? Or how do you solve it if you receive for example a PDF, a Libreoffice document, a link via email and want to open it in a disposable vm?

@user45507 asked:

Did you create a template with all programs as “Disposable VM Template”? Or how do you solve it if you receive for example a PDF, a Libreoffice document, a link via email and want to open it in a disposable vm?

online-dvm based on deb-10-web template (firefox only)
offline-dvm based on deb-10-office template (libreoffice, evince, vlc)

offline-dvm is the default disposable tempalte.
deb-10-office is only used for offline-dvm.

qubes.OpenURL policy is set to always ask, so that’s when I select ‘Disposable (online-dvm)’

Works great!

2 Likes

Thank you for your work.
Let me find out why you prefer to use intel based computers, as I know intel has a lot of holes, wouldn’t it be better to choose an amd based computer? For example G505s

2 posts were split to a new topic: How to configure qubes.OpenURL to ask which qube to open the URL in?

@deeplow / @plexus … let’s please split this out into a new topic “Do you prefer Intel to AMD?”

@rakibiy676 the answer is: I don’t have a preference. I just happen to run Intel on my Qubes machine. Once there is a fully open / user controlled alternative I will be one of the first to jump.

The Intel vs AMD is off topic from Qubes Community user support IMHO. I could split this out to “all around Qubes” but the posting user will not see the thread any more, which defeats the object.

It would be great

Wouldn’t you also need qubes-core-agent-passwordless-root to mount encrypted drives though nautilus? If I don’t have it, it would prompt, “Unable to access location. Not authorized to perform operation”.

edit: delete. I saw your subsequent comments on passwordless-root.

1 Like

There were some small changes to Signal. I was able to get a new Debian 11 Minimal template working with this:

  1. template for Signal messenger
  • network
  • nautilus to deal with downloads
  • dunst is needed for signal notifications, if no notification service is provided signal will hang
  • curl is needed to download the key for signal

qvm-clone tpl-deb-11-min tpl-deb-11-signal

qvm-run --pass-io -u root tpl-deb-11-signal “apt install --no-install-recommends curl qubes-app-shutdown-idle qubes-core-agent-networking qubes-usb-proxy qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 dunst xfce4-notifyd -y”

get the signing key and add it (replace the http://HTTPS/// with a simple https:// in case you are not using apt-cacher-ng)

qvm-run --pass-io -u root tpl-deb-11-signal "curl --proxy http://127.0.0.1:8082/ -s http://HTTPS///updates.signal.org/desktop/apt/keys.asc | gpg --dearmor | sudo tee /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null 2>&1"

add the signal repository (replace the http://HTTPS/// with a simple https:// in case you are not using apt-cacher-ng)

qvm-run --pass-io -u root tpl-deb-11-signal ‘echo “deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] http://HTTPS///updates.signal.org/desktop/apt xenial main” | tee -a /etc/apt/sources.list.d/signal-xenial.list’

update & install

qvm-run --pass-io -u root tpl-deb-11-signal “apt update && apt full-upgrade -y && apt install --no-install-recommends signal-desktop -y && poweroff”

Hi. I have a small problem with my Debian 11 minimal configuration… I can not open a USB device when I assign it via sys-usb (also Debian 11, Qubes 4.1.0-rc4 based) to one of my Debian 11 minimal AppVMs (qubes-usb-proxy is installed). I get the message: Unable to access “xxx”.
Not authorized to perform operation (polkit authority not available and caller is not uid 0)

Does anyone have an idea?

Minimal templates do not have the passwordless sudo package installed.
You need to be root (or have root access) to mount the device.

You have a number of options:

  1. Install the passwordless sudo package in the template.
  2. Open a root terminal in the qube - qvm-run -u root xterm and mount
    the drive.
  3. Mount from dom0 - qvm-run -u root mount /dev/XXX /mnt
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
2 Likes

Hi. Do all the instructions here apply to debian-11-minimal?

I do note that one of the reasons I opt for minimal templates is to avoid having passwordless root access. However, I found out via this thread and via my own testing that things won’t work normally without passwordless root access - acknowledging that I have read the Qubes team posts about the uselessness of not having passwordless root access.

I will answer myself :laughing:

Yes, I just tested it and the instructions do apply to debian-11-minimal. Thank you @Sven for your valuable instructions.

These are the packages needed for a debian-11-minimal VPN gateway using iptables and CLI scripts

Packages:
qubes-core-agent-networking openvpn nautilus qubes-core-agent-nautilus libnotify-bin notification-daemon dunst

1 Like

I would add this package: gvfs-backends which is needed to mount Android phones.

1 Like

@oijawyuh I agree. Thank you!

Since so much time has gone by I don’t see the point in pulishing a guide for R4.0 / debian 10.

My current plan is to finally build that second T430 and work with @Plexus to publish that guide (including Heads etc).

Then I’ll install R4.1 on that machine and review/correct/test my scripts to create debian-11 based templates from scratch. Once that all works, I’ll publish an updated/extended version.

5 Likes

Sounds good. My tests have been on 4.0.4 with debian-11-minimal. Once I upgrade to 4.1, I can contribute to a guide if you’d like me to. Thank you.

Always

Hi, Why do we here want to create new sys-usb,sys-net,sys-firewall qube here?
will the default sys-usb,sys-net work with debian-11-minimal ??

I would like to install debian-11-minimal, enable passwordless root,use same sys-usb,sys-firewall templates, vault,and other qubes will this work?

Thank you

1 Like