Debian-10-minimal Configuration

I want to apologize for my absence after initiating this thread - coffee spilled onto my keyboard, frying my machine, and it’s taken until now to get a new one I can run Qubes on.

@unman could you elaborate on the health warning for non-advanced users? Is the concern that minimal-template config is more prone to misconfiguring something that will go undetected without advanced understanding?

@Sven you’ve basically written the documentation I had in mind in one post! Legend! With this fresh machine I started to implement your instructions…

qvm-run --pass-io -u root tpl-deb-10-min “sed -i – ‘s/https:///http://HTTPS////g’ /etc/apt/sources.list”
qvm-run --pass-io -u root tpl-deb-10-min “sed -i – ‘s/https:///http://HTTPS////g’ /etc/apt/sources.list.d/*.list”

Because this wasn’t in a code block, the double dash following the i flag was auto-formatted into an em dash. I was also getting an error in the sed command until I changed the delimiter to #, because / is in the argument. Perhaps if this post is turned into a github guide, it would be fitting to have a hyperlink explaining the sources.list change, as I initially found it quite confusing without being familiar with apt-cacher-ng : How to get apt-cacher-ng to download AND cache packages from Apt HTTPS repositories? - Ask Ubuntu

For clarity, I ran:
qvm-run --pass-io -u root tpl-deb-10-min "sed -i -- 's#https://#http://HTTPS///#g' /etc/apt/sources.list"

qvm-run --pass-io -u root tpl-deb-10-min "sed -i -- 's#https://#http://HTTPS///#g' /etc/apt/sources.list.d/*.list"

The next step (apt update && apt full-upgrade) is where I run into problems, it returned this error message

Err:1 http://HTTPS///deb.debian.org/debian buster InRelease 500 Unable to connect [IP: 127.0.0.1 8082]
Err:2 http://HTTPS///deb.debian.org/debian-security buster/updates InRelease 500 Unable to connect [IP: 127.0.0.1 8082]
Err:3 http://HTTPS///deb.qubes-os.org/r4.0/vm buster InRelease 500 Unable to connect [IP: 127.0.0.1 8082] ...

Did I place the delimiter in the wrong location for sed? Do I need to first install apt-cacher-ng to the tpl-deb-10-min template? You say later down it is an optional package but I use many templates so decided to go with it. Thanks so much everyone! Very hyped at how many insights have already been contributed here.

EDIT: I attempted to integrate Unman’s apt-cacher-ng instructions into Sven’s instructions, for people like me who don’t already have it enabled but need it for this minimal set up. I figured it would be easier for others to make changes on Github for this section of the instructions involving apt-cacher-ng, so made a temporary repo. You’ll notice I split step 2 (clone and setup your own minimal template) into two separate steps, to fit in the apt-cacher-ng instructions. You’ll also notice that I run into an error restarting the service before I’m done setting it up!

Perhaps if this post is turned into a github guide, it would be
fitting to have a hyperlink explaining the sources.list change, as I
initially found it quite confusing without being familiar with
apt-cacher-ng

I am actively working on restarting my website, the debian-minimal
configurations being the initial central topic. ETA ~2 weeks.

I intent to grow this over time and have both manual and salt based
instructions.

Err:1http://HTTPS///deb.debian.org/debian buster InRelease 500 Unable to connect [IP: 127.0.0.1 8082]

Well, that’s what happens if your update proxy doesn’t run
apt-cacher-ng. I was torn whether to include it in the original post and
it seems I made the wrong call.

Do I need to first install apt-cacher-ng to the tpl-deb-10-min
template?

It needs to be installed in your updatevm. If that is not the case (yet)
then don’t use the two sed lines. You can run them later after you have
apt-cacher-ng working.

Very hyped at how many insights have already been contributed here.

I am still at the beginning of this journey but I can safely say that
basing everything on debian-minimal based templates and doing some
additional configuration (memory) … has completely transformed my
Qubes OS user experience. There is an enormous performance boost while
at the same time being confident that the attack surface is as small as
it can possibly be. And debian is STABLE. Once you have things setup,
they will stay that way for a long long time while still receiving
security updates.

Also if each qube takes less resources, it follows you can run a lot
more of them in parallel and therefore afford a much finer grained
compartmentalization strategy.

I understand the decision to start folks of with the big standard fedora
templates … but once a user is more familiar with how Qubes OS works
and has some grip on installing software in Linux and figuring out
dependencies debian-minimal is the way to go.

I was asked to elaborate on the health warning for non-advanced users.
I speak personally, and not on behalf of Qubes project.
I think this covers two areas:
First, health warning for the user - it isn’t easy to correctly configure
a minimal template if you have little knowledge of Linux or Qubes,
and the scope for frustration and/or security errors is large.
Second, health warning for the project. There simply isn’t scope to
support naive users in this sort of endeavour, particularly when (as
now) new users don’t (or wont) read the documentation.
That’s why the project provides ready configured larger templates, which
should work out of the box.

If you want to set the caching proxy up with salt, there is a formula
at https://github.com/unman/shaker/cacher
There are even instructions in the README

Hello all,

Maybe I should join the club . . .

I’ve found that loginctl showed no sessions when using the appVM based on tpl-deb-10-min.

But I had installed several packages until I noticed it worked.
See next comment: libpam-systemd fixed it

Hans

Found it: libpam-systemd

With that installed loginctl shows:

SESSION UID USER SEAT TTY
c1 1000 user seat0 tty7

1 sessions listed.

Hans

I was told that a Fedora-based UpdateVM is required for dom0 updates (unless using Debian 11, which has DNF support, but you were speaking of Debian 10 here). Is this not the case?

@adw I’m getting dom0 updates just fine. If it were true that one needs a Fedora based qube to download dom0 updates, using sys-whonix as updatevm wouldn’t work either.

Is this not because a qubes dnf was provided to cover cases where dnf was
not available in Debian?

Another data point: debian-10-minimal updateVM works fine for me on both R4.1 and R4.0

This recently stopped working for me and I needed to install qubes-core-agent-passwordless-root to make it work again. Some light research indicates that this is all connected somehow to policykit but I don’t really understand what’s happening.

Also there isn’t really any good reason not to install qubes-core-agent-passwordless-root so I didn’t care much to investigate further either.

@Sven, @unman: Thanks for clarifying. Out of curiosity, does this mean that you don’t need any Fedora VMs at all, i.e., that it’s now possible to use only Debian VMs? Or is there still something for which you have to keep at least one Fedora VM around? My understanding is that you might need a Fedora mgmt VM to manage other Fedora VMs, but if you don’t have any, then that wouldn’t apply either.

8 posts were merged into an existing topic: Is it possible to use only Debian VMs? (no Fedora VMs)

Has anyone figured out which packages are required for Thunderbird to work with Split GPG in the template on which the email VM is based? For some reason, Thunderbird is not using my GPG backend VM when based on debian-10-minimal, but fedora-32-minimal works. Here’s what the debian-10-minimal template already has installed:

qubes-core-agent-networking
qubes-core-agent-nautilus
nautilus
qubes-gpg-split
thunderbird
qubes-thunderbird

Edit: Ah, I’m missing libgpgme11. I had missed this line:

Thanks, @Sven!

Has anyone figured out which packages are required for Thunderbird to
work with Split GPG in the template on which the email VM is based?

Sure. Works for me with the below packages:

• qubes-core-agent-networking
• qubes-core-agent-nautilus nautilus zenity
• thunderbird
• qubes-gpg-split libgpgme11

For some reason, Thunderbird is not using my GPG backend VM when
based on debian-10-minimal, but fedora-32-minimal works.

libgpgme11 is definitely needed, it’s normally a dependency of gnupg

In addition:

• have you created /rw/config/gpg-split-domain?
• how does your qubes.Gpg policy file look?
• if you do ‘qubes-gpg-client-wrapper -k’ … what happens?

@adw sorry didn’t see your edit until now. I’m usually interfacing via email and edits after the initial 10 minutes don’t make it into the emails.

In cases like this it would be much appreciated to reply instead of edit.

@Sven did that blog post ever drop? not sure what the url is

Not yet. If you like you can simply add /Sven to your feed reader and then you can’t miss it.

I’ve kept fedora template because there are more up to date packages. For example keepassxc. While in the debain 10 repo has the keepassxc version is like 2.3.4, fedora 33 repo has the keepassxc version like 2.6.4-2. Do you know maybe how can someone use the latest keepassxc package in debian-10 template besides snap / flatpak?

I’ve kept fedora template because there are more up to date packages. For example keepassxc. While in the debain 10 repo has the keepassxc version is like 2.3.4, fedora 33 repo has the keepassxc version like 2.6.4-2. Do you know maybe how can someone use the latest keepassxc package in debian-10 template besides snap / flatpak?

buster-backports has 2.6.2 - not quite the latest, but it’s Debian.
https://backports.debian.org/