Debian-10-minimal Configuration

Plexus · August 17, 2021, 9:09am

2 posts were split to a new topic: How to configure qubes.OpenURL to ask which qube to open the URL in?

Sven · August 16, 2021, 1:42pm

@deeplow / @plexus … let’s please split this out into a new topic “Do you prefer Intel to AMD?”

@rakibiy676 the answer is: I don’t have a preference. I just happen to run Intel on my Qubes machine. Once there is a fully open / user controlled alternative I will be one of the first to jump.

Plexus · August 17, 2021, 9:08am

The Intel vs AMD is off topic from Qubes Community user support IMHO. I could split this out to “all around Qubes” but the posting user will not see the thread any more, which defeats the object.

rakibiy676 · August 21, 2021, 2:45pm

It would be great

joe.blough · October 2, 2021, 8:44pm

Sven:

And then, if you plan on mounting encrypted drives:

* gnome-keyring to manage the password (optional)
* policykit-1 (this was somehow needed to make it work...)
* libblockdev-crypto2 (...as was this)

Wouldn’t you also need qubes-core-agent-passwordless-root to mount encrypted drives though nautilus? If I don’t have it, it would prompt, “Unable to access location. Not authorized to perform operation”.

edit: delete. I saw your subsequent comments on passwordless-root.

pr0xy · December 18, 2021, 2:36pm

There were some small changes to Signal. I was able to get a new Debian 11 Minimal template working with this:

template for Signal messenger

network
nautilus to deal with downloads
dunst is needed for signal notifications, if no notification service is provided signal will hang
curl is needed to download the key for signal

qvm-clone tpl-deb-11-min tpl-deb-11-signal

qvm-run --pass-io -u root tpl-deb-11-signal “apt install --no-install-recommends curl qubes-app-shutdown-idle qubes-core-agent-networking qubes-usb-proxy qubes-core-agent-nautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 dunst xfce4-notifyd -y”

get the signing key and add it (replace the http://HTTPS/// with a simple https:// in case you are not using apt-cacher-ng)

qvm-run --pass-io -u root tpl-deb-11-signal "curl --proxy http://127.0.0.1:8082/ -s http://HTTPS///updates.signal.org/desktop/apt/keys.asc | gpg --dearmor | sudo tee /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null 2>&1"

add the signal repository (replace the http://HTTPS/// with a simple https:// in case you are not using apt-cacher-ng)

qvm-run --pass-io -u root tpl-deb-11-signal ‘echo “deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] http://HTTPS///updates.signal.org/desktop/apt xenial main” | tee -a /etc/apt/sources.list.d/signal-xenial.list’

update & install

qvm-run --pass-io -u root tpl-deb-11-signal “apt update && apt full-upgrade -y && apt install --no-install-recommends signal-desktop -y && poweroff”

user45507 · January 29, 2022, 2:07pm

Hi. I have a small problem with my Debian 11 minimal configuration… I can not open a USB device when I assign it via sys-usb (also Debian 11, Qubes 4.1.0-rc4 based) to one of my Debian 11 minimal AppVMs (qubes-usb-proxy is installed). I get the message: Unable to access “xxx”.
Not authorized to perform operation (polkit authority not available and caller is not uid 0)

Does anyone have an idea?

unman · January 30, 2022, 3:55am

Minimal templates do not have the passwordless sudo package installed.
You need to be root (or have root access) to mount the device.

You have a number of options:

Install the passwordless sudo package in the template.
Open a root terminal in the qube - qvm-run -u root xterm and mount
the drive.
Mount from dom0 - qvm-run -u root mount /dev/XXX /mnt

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.

oijawyuh · January 31, 2022, 7:48am

Hi. Do all the instructions here apply to debian-11-minimal?

I do note that one of the reasons I opt for minimal templates is to avoid having passwordless root access. However, I found out via this thread and via my own testing that things won’t work normally without passwordless root access - acknowledging that I have read the Qubes team posts about the uselessness of not having passwordless root access.

oijawyuh · February 1, 2022, 2:19pm

I will answer myself

Yes, I just tested it and the instructions do apply to debian-11-minimal. Thank you @Sven for your valuable instructions.

These are the packages needed for a debian-11-minimal VPN gateway using iptables and CLI scripts

github.com

Qubes-Community/Contents/blob/master/docs/configuration/vpn.md#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts


How To make a VPN Gateway in Qubes
==================================

<div class="alert alert-info" role="alert">
  <i class="fa fa-info-circle"></i>
  <b>Note:</b> If you seek to enhance your privacy, you may also wish to consider <a href="/doc/whonix/">Whonix</a>.
  You should also be aware of <a href="https://www.whonix.org/wiki/Tunnels/Introduction">the potential risks of VPNs</a>.
</div>

Although setting up a VPN connection is not by itself Qubes specific, Qubes includes a number of tools that can make the client-side setup of your VPN more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts.

Please refer to your guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)

### NetVM

The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages:

- You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)

This file has been truncated. show original

Packages:
qubes-core-agent-networking openvpn nautilus qubes-core-agent-nautilus libnotify-bin notification-daemon dunst

oijawyuh · February 2, 2022, 9:25am

I would add this package: gvfs-backends which is needed to mount Android phones.

Sven · February 2, 2022, 5:47pm

@oijawyuh I agree. Thank you!

Since so much time has gone by I don’t see the point in pulishing a guide for R4.0 / debian 10.

My current plan is to finally build that second T430 and work with @Plexus to publish that guide (including Heads etc).

Then I’ll install R4.1 on that machine and review/correct/test my scripts to create debian-11 based templates from scratch. Once that all works, I’ll publish an updated/extended version.

oijawyuh · February 2, 2022, 6:09pm

Sounds good. My tests have been on 4.0.4 with debian-11-minimal. Once I upgrade to 4.1, I can contribute to a guide if you’d like me to. Thank you.

Sven · February 2, 2022, 8:26pm

Always

waterfrontpark · February 19, 2022, 1:39pm

Hi, Why do we here want to create new sys-usb,sys-net,sys-firewall qube here?
will the default sys-usb,sys-net work with debian-11-minimal ??

I would like to install debian-11-minimal, enable passwordless root,use same sys-usb,sys-firewall templates, vault,and other qubes will this work?

Thank you

unman · February 19, 2022, 2:39pm

This will work.
This page in the docs tells you what packages to install to use
the minimal template, but you do not need to do so.

To enable passwordless root you will have to get a root terminal in the
minimal template to install the packages - you can do this from dom0 with
qvm-run -u root debian-11-minimal uxterm

oldschool · February 19, 2022, 6:43pm

Great thread!

If I may… this needs repeated loudly and often:

Agreed!

I would take that one step further: Not just for people with little knowledge of linux or qubes. I have been using linux for decades, and Qubes for years, but I must admit, having been away from both Qubes and linux for the past year, I find myself starting over, and asking the most basic “noob” questions again. It’s all coming back fast, sure, but I find myself relearning the basics, again.

A great point! I couldn’t agree more.

However, I always hated the old RTFM mantra “read the doc’s” when we all know there are gazillions of doc’s from gazillion’s of sources, and you can spend a lifetime reading doc’s and still not read them all. Every question asked can be resolved with a well placed search, but if somebody isn’t sure what they are asking, then the searches will only point to other noobs equally confused, and sadly the responses to their questions are all too often “read the doc’s you noob”. The Ubuntu forums are painfully full of RTFM responses. God I love to hate on Ubuntu LOL. Not so here though.

Thankfully, the people here are noob friendly (THANK YOU!), because Qubes is definitely a more advanced platform, not for beginners. Even seasoned linux admins will be challenged while coming up to speed on Qubes. A steep learning curve for sure, but as everyone here knows, it is well worth it.

Sorry for the rant. When I read the above @unman post I wanted to repeat it.

Sven · February 20, 2022, 7:06am

Like everything this is not a black/white issue. The way I see it, it is about appreciating the time and energy others put into reading a question and posting an answer.

There are some (especially in places like forums) that show up, leave the most minimal description of their issue accompanied by an essay about their personal frustrations and expectations. Then they “ping” the thread once or twice a day and get increasingly irritated that their questions have not yet been addressed to their fullest satisfaction, while ignoring any and all attempts to even clarify what exactly their issue is. Finally a “I am finished with this forum!” post asking to delete their account.

I can do just fine without those people.

On the other hand if a person describes their issue, asks for help, answers follow-up questions and is otherwise a pleasant person to communicate with I am pretty sure they will be well taken care of. I know I was and am frequently. It’s all about attitude, basic human decency and actually recognizing that no one here owes anyone an answer for anything.

Sorry @oldschool for hijacking your post for a PSA, but it felt like it was time for it.

adw · February 20, 2022, 2:57pm

Amen.

Amen again.

oldschool · February 20, 2022, 4:51pm

No worries! I couldn’t agree more, some people fail to word the question as complete as possible, then get all bent out of shape when nobody replies, or worse, they are rude when someone tries to help by asking for more info. I guess I should’ve added that most valid point to my little PSA. Thanks for the help!