This is maybe a very basic question, but after browsing the docs and forums I didn’t find any satisfying answer
Consider the following basic scenario: I want to install an app in an AppVM A.
The AppVM is based on a template T, which itself was cloned from an “official” image e.g. debian-13-xfce.
I can either:
clone debian-13-xfce into a new T template, install the app in the template
install the app directly in the debian-13-xfce template
Downside of 1: this provisions a full template, so it takes a lot of disk space (typically 6Gb for debian-13-xfce-based)
Downside of 2: the debian-13-xfce template becomes “tainted”, e.g. it’s not the same as the “initial”, “base” template anymore. If I want afterwards to create a new template based on “clean” debian-13-xfce (e.g. via salt), I don’t see an easy way.
How do you resolve this ?
Additional concrete background:
I am trying to make my qubes reproducible using salt. This requires creating templates themselves from salt - but templates must be cloned from an existing template, and there’s no easy way that I know of to ensure that this “base” template is not-tainted.
I accept the cost of the disk space for the benefit of having a vanilla
template.
When I salt I usually begin with minimal templates. You can see this
with most of the examples in my salt shaker
If you are going this route it really helps to use a caching proxy - it
cuts down on network use and speeds updates and installs. I use
apt-cacher-ng - packaged here
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
I have pristine base template. They are not touched.
It’s named tmpl-fedora-xfce-fc42
Then I’ve cloned it to my various production templayes in which I install needed apps or repositories, like tmpl-protonvpn or tmpl-multimedia.
Tried to install proxy-catcher-ng but it refused to work for me.
I just follow @unman advice and it’s working like a charm with Debian templates. apt-cacher-ng was not so great with Fedora and I never took the time to get it to work.
If you use Qubes 4.3 you can prohibit the start of your “base” template.
It is better to start with full templates, not minimal. Once you’re comfortable, you can try the second option, it’s easy to switch your app qubes from a full template to a minimal one, especially with salted qubes and consistent naming.
Remember that Qubes OS is reasonably secure, so a multimedia template like the one of @KitsuneNoBaka might be a good approach, depending on your needs.
Cloning a template (or any qube) is generally copy-on-write, so the clone will initially share all of its storage data with the original. Only when you modify either the clone or the original (e.g. by installing additional or updated packages) they’ll gradually diverge and take up additional disk space for the modified parts of the storage data.
Good question! I usually leave the “official” templates like debian-13-xfce untouched, unless I’m missing a tool or some software that I genuinely want to have available in practically all templates (and AppVMs) cloned from it.
Since I have enough disk space, I create a dedicated “custom template” as needed, for example for VPN access, P2P and media, backup, or printing. This way, I can keep all these functions cleanly separated.
In these “custom templates” I then install the tools and programs required for proper operation, and based on that I create the corresponding AppVM.
For each “custom template” there is exactly one AppVM.