Fom’s giant list of Qubes OS workarounds, tweaks and shenanigans

Whenever I hop to a new operating system I tend to end up with pages and pages of notes on how I got said operating system working “exactly the way I want”. This way I don’t have to waste two weeks starting from scratch if I put the OS on another computer some time in the distant future.

I love Qubes, but it’s unique nature combined with my uncanny ability to find hardware and software which hates it has necessitated my largest set of notes yet. I’ve decided to share my notes here on the off chance they can shave a evening or two off somebody else’s Qubes OS journey.

But first, some disclaimers:

  • Most of these notes were written for R4.1.1, with a little luck future releases will render some of the instructions here obsolete.
  • I am a random person on the internet. You have no way of knowing I’m not malicious or dangerously incompetent. If you don’t understand the commands I’ve included here google them before you go typing them into your computer.
  • The majority of the solutions here come from better informed users on these forums or elsware, I’ve just expanded on them or reworked them into a format I find easier to digest. I’ve tried to credit my sources where I’ve been able to remember them.
  • Some of these solutions have absolutely nothing to do Qubes OS whatsoever and could be necessary in any linux distro, they just happen to be things I want to do on Qubes OS.
11 Likes

How to install Qubes OS when your motherboard hates it

It seems like some motherboards, MSI ones particularly, hate Qubes OS and won’t be able to find it after you’ve installed it, or generally have other problems booting.

Credits goes to

51lieal: UEFI boot: no Qubes OS option - #3 by 51lieal
maxi: Qubes R4.1 no proper boot device - #16 by maxi
Qubes OS Team:
UEFI troubleshooting | Qubes OS
UEFI troubleshooting | Qubes OS

Instructions

  1. Make absolutely sure the hard drive you’re installing Qubes on it completely wiped first. In my experience R4.1.1 cannot install templates if you only cleaned out previous installations using its default provided tools. If you’re on a newer MSI board you can use “Secure Erase+” from the MSI bios to completely wipe the drive.

  2. If you’re particularly paranoid and don’t trust your USB input devices unplug them first (IDK what I’m talking about here tbh. I just vaguely recall reading this somewhere.)

  3. Follow the documented install approach (Install Qubes OS R4.1.1 from the GNU grub menu). Installer should proceed normally, though at the time of writing it won’t match the official installation instructions exactly simply because those instructions were not written for R4.1.1

  4. The installer might hang at “running post-installation scripts” near the end. If this happens it’ll stay there ages and you might not even notice any busy light flickering from your motherboard. Its not dead! Go make a snack or something and come back, it will, (eventually,) finish.

  5. The installer should claim its complete, select the reboot system button. Your restart might end up hanging indefinitely or otherwise taking a long time, just turn the computer off if this is happening.

  6. Remove your installation medium.

  7. Turning you’re computer back on you’ll find the OS won’t actually boot, you’ll just cut straight to the UEFI bios. The bios will have no indication of a bootable medium on your hard drive. If the OS DOES boot then congratulations, enjoy your Qubes OS! (You lucky sod… Wait, why are you even reading this?)

  8. Shutdown and reattach your installation medium.

  9. Boot into qubes rescue mode using your installation medium (The last option on the grub menu: “Rescue a Qubes OS system”)

  10. Type 1 and press enter (for continue), then enter your password.

  11. It’ll probably complain that you don’t have any linux partitions, press enter and let it move on to the shell.

  12. Type fdisk -l and examine the output. You want to find the device/addresses of your boot and efi partitions. EFI should be labelled under “type” and be obvious, boot will probably be the smaller of the two remaining Linux filesystem partitions.

  13. Mount those two partitions with
    mount <BOOT PARTITION DEVICE/ADDRESS> /mnt
    mount <EFI PARTITION DEVICE/ADDRESS> /mnt/efi

  14. Examine the contents of /mnt/efi/EFI/qubes.
    cd /mnt/efi/EFI/qubes
    ls
    You’ll probably be missing several key files, namely xen.cfg, vmlinuz- and initramfs-.img. If they exist, Congratulations, the installer hates you less then me! you can skip to step 17.

  15. The latter two of these missing files can be copied from mnt using:
    cd /mnt
    ls
    cp /mnt/vmlinuz-<KERNEL VERSION> /mnt/efi/EFI/qubes/
    cp /mnt/initramfs-<KERNEL-VERSION>.img /mnt/efi/EFI/qubes/

  16. The missing .cfg you’ll have to make yourself.
    1. Note down your kernel version from the previous two files, or use name -r to get it. (You’ll need to be able to type it out in a moment without seeing it in the console)
    2. return to the qubes folder.
    cd /mnt/efi/EFI/qubes
    3. make an empty xen.cfg file
    echo > xen.cfg
    4. use vim to begin editing the file.
    vi xen.cfg
    5. You need to make it look like this:

    [global]
    default=<KERNEL-VERSION>
    
    [<KERNEL-VERSION>]
    options=loglvl=all dom0_men=min:1024M dom0_mem=max:4096M
    kernel=vmlinuz-<KERNEL-VERSION> root=/dev/mapper/qubes_dom0-root rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap i915.preliminary_hw_support=1 rhgb quiet
    ramdisk=initramfs-<KERNEL-VERSION>.img
    
    1. When you’re done press ESC, this will change you from insert mode to normal mode.
    2. Type :wq! to save your changes (or :q! to not save them if something went wrong)
  17. Now copy your newly repaired qubes folder to /mnt/efi/EFI/BOOT
    cp -r /mnt/efi/EFI/qubes/. /mnt/efi/EFI/BOOT

  18. Rename the xen.cfg in BOOT to BOOTX64.cfg
    mv /mnt/efi/EFI/BOOT/xen.cfg /mnt/efi/EFI/BOOT/BOOTX64.cfg

  19. Override quebes/xen.efi with its neighbouring versioned xen efi file (xen-[XEN VERSION].efi). You can use the usual combinations of cd and ls to inspect its folder and find out what its currently named.
    cp /mnt/efi/EFI/qubes/xen-<XEN VERSION>.efi /mnt/efi/EFI/qubes/xen.efi

  20. copy the versioned xen efi file over to /mnt/efi/EFI/BOOT, renaming it in the process

cp /mnt/efi/EFI/qubes/xen-<XEN VERSION>.efi /mnt/efi/EFI/BOOT/BOOTX64.efi
  1. Now use cd to move back to root (just incase you were in a folder we’re about to unmount)
    cd

  2. Then unmount everything we mounted earlier
    umount <EFI PARTITION ADDRESS>
    umount <BOOT PARTITION ADDRESS>

  3. And shutdown. (Much like 51lieal, I’ve found restarting quebes seems to hang)
    shutdown now

  4. Remove your installation medium

  5. After rebooting your pc you should now, finally, see the post installation configuration. If this completes fine you’re done and can stop following these steps, hooray! However if you’ve got an intel ethernet port you’ll probably encounter the following error message at the very end:

[‘/usr/bin/qvm-start’, ‘sys-firewall’] failed:
stout: “”
stderr “start failed: internal error: unable to reset PCI device 0000:00:1f.6: no FLR, PM reset or bus reset available, see varlog/libvirt/libxl/libxl-driver.log for details

  1. I’ve found in the past that sys-usb won’t be running yet, so I tend to shutdown here and turn my computer back on rather then plugging in any USB input devices I inexplicably don’t trust.

  2. Plug back in any USB devices you removed earlier then turn back on your computer. (sys-usb should run this time.)

  3. sys-net and system-firewall will fail to start due to the earlier error. In my case this was due to the PCI device: intel corporation Ethernet connection (7) I219-V.

  4. If like me MSI blessed you with a second ethernet port you can simply go into the qubes manager, then sys-net’s settings and remove the intel Ethernet using the devices tab and click apply. (If you attempt to manually start it before doing this you’ll end up stuck until you reboot.). If not you’ll need follow the instructions here: PCI troubleshooting | Qubes OS (I haven’t followed them yet so can’t be much help, sorry)

  5. Shut your computer down and turn it back on again. Congratulations, you’ve reached basic functionality, wasn’t that fun? :wink:

2 Likes

How to update Qubes OS when your motherboard hates it

If you had to follow my convoluted install instructions above then running the Qubes Update alone isn’t sufficient to update your computer’s kernel or xen. Your computer (seemingly) will still boot fine, but you won’t be benefiting from certain security updates unless you follow these instructions.

After you’ve run through these instructions once your root terminal will have cached the commands and you can re-access them by pressing up on the keyboard, making future updates less of a nightmare. For me having to keep manually repeating this probably represents the greatest threat to the stability and safety of my system, so I might look into making a bash script for this or something.

Note you don’t technically need to follow these instructions for every dom0 update, but I have no confidence in my ability to determine when it is and isn’t necessary, so I just do it every DOM0 update.

Credits goes to

The same fine folks as it did for the last set of instructions.

Instructions

  1. Update dom0 using the the Qubes update app if you haven’t already.

  2. Open “terminal emulator” (dom- terminal)

  3. Make your terminal root.
    sudo -s

  4. Delete the old /mnt/efi/EFI/BOOT just to be safe.
    rm -r -f /boot/efi/EFI/BOOT

  5. Now copy your qubes folder to BOOT
    cp -r /boot/efi/EFI/qubes/. /boot/efi/EFI/BOOT

  6. Rename the xen.cfg in BOOT to BOOTX64.cfg
    mv /boot/efi/EFI/BOOT/xen.cfg /boot/efi/EFI/BOOT/BOOTX64.cfg

  7. Override quebes/xen.efi with its neighbouring versioned xen efi file (xen-[XEN VERSION].efi )

cp /boot/efi/EFI/qubes/xen-<XEN VERSION>.efi /boot/efi/EFI/qubes/xen.efi

(type y and enter to override)
TBH I have no idea if/why this is necessary, but given its in the official support, better safe then sorry. You can use the cd and ls commands to inspect your existing files and find the xen version in the filename.

  1. Copy the versioned xen efi file over to BOOT, renaming it in the process
cp /boot/efi/EFI/qubes/xen-<XEN VERSION>.efi /boot/efi/EFI/BOOT/BOOTX64.efi
  1. Close the terminal and shut down your computer, if everything went right the changes will take effect when you next boot

How to stop the mouse cursor being glitchy/laggy when attempting to change icon (EG when moved to the border of a window)

Like me you probably thought you’d just use an intel processor for your graphics and call it a day. After all you won’t benefit from GPU acceleration outside of DOM0 and the official Qubes OS system requirements recommend an intel graphics processor. Oh sweet summer child, once again you have unknowingly chosen a path wrought with peril :wink: .

Credits goes to

Taradiddles, Andrewdavidwong and bxatnarf - Contents/intel-igfx-troubleshooting.md at master · Qubes-Community/Contents · GitHub

Instructions

  1. Open “Terminal Emulator”
  2. Type
    sudo vi /etc/X11/xorg.conf.d/20-intel.conf
  3. type i to enter insert mode
  4. Type out the following:
Section "Device"
    Identifier "Intel Graphics"
    Driver "Intel"
EndSection
  1. Esc then :wq! To save & exit
  2. Turn your machine on and off
  3. Set up your display settings again as they’ll have reset

Bonus Steps

These are recommended by the github troubleshooting page but didn’t seem to make any noticeable difference in my case.

  1. Open “Terminal Emulator”
  2. Type
    sudo vi /boot/efi/EFI/qubes/xen.cfg
  3. i to enter insert mode
  4. under whatever kernel is the latest (which should match what’s written next to default at the start), add the following text to the end of the kernel line
    i915.force_probe=*
  5. esc then :wq! To save and exit
  6. If you had to follow my instructions for motherboards that hate Qubes OS previously, you’ll need to copy xen.cfg somewhere your firmware can read afterwards:
    mv /boot/efi/EFI/BOOT/xen.cfg /boot/efi/EFI/BOOT/BOOTX64.cfg
1 Like

Workarounds for the UI for unencrypting your hard drive being laggy

If you ended up following my instructions for installing Qubes OS on a motherboard that hates it, you probably didn’t have any UI for unencrypting (outside of the text interface) only for some to miraculously spring into existence after you updated.

Sadly this GUI (whilst very pretty) can be subject to the same problems as the mouse cursor in the issue mentioned above, and is a lot more painful to solve.

In this scenario the best I’ve been able to come up with is removing the UI all together and unlocking using the text interface. So, just to make clear, the instructions below do not fix the UI, just hides it.

Instructions

  1. Open “Terminal Emulator”
  2. Type
    sudo vi /boot/efi/EFI/qubes/xen.cfg
  3. Under whatever kernel is the latest (which should match what’s written next to default at the start), move your cursor to rhgb and press x until you’ve erased it.
  4. Type :wq! and hit enter to save and exit.
  5. If you had to follow my instructions for motherboards that hate Qubes OS previously, you’ll need to copy xen.cfg somewhere your firmware can read afterwards:
    mv /boot/efi/EFI/BOOT/xen.cfg /boot/efi/EFI/BOOT/BOOTX64.cfg

I DON’T recommend adding “i915.modeset=0” to kernal in xen.cfg. This fixes the pretty GUI so it runs smoothly, but breaks the rest of the boot process locking you out of your machine.

Forcing changes to the monitor resolution of your second display to persist (IE not vanish after every reboot)

For whatever reason I found my second monitor wouldn’t stay on my preferred resolution after restarts. I’m not sure if this is by design or because I’m reluctant to let my XFCE sessions save on shutdown. In anycase the solution is straightforward.

Instructions

  1. Open System Tools → Display
  2. Configure your displays to how you want them, apply
  3. Click the advanced tab
  4. Use the little + page button under profiles to make a new profile.
  5. Press the little download(ish) button under profiles to make sure your current settings are applied to your profile
  6. Under connecting displays toggle on “configure new displays when connected” and “automatically enable profiles when new display is connected”.

How to change your machine to a static local IP address

Instructions

  1. Right click the icon for the network manager applet in your notification area at the top right corner of your screen. (Assuming you haven’t moved your panel.)
  2. Click edit connections, then select and edit the connection you want static by using the cog button.
  3. Go to the IPv4 settings tab
  4. Change method to manual
  5. Add a new address with the ip address you want, your routers ip address for gateway and 24 for Netmask. (Other netmask values might be more appropriate, I just know 24 is a good fit for my router.)
  6. Unlike in Linux Mint (which uses the same network manager) this tab needs to have a DNS server specified to work. Just make it the same as your gateway, or Googles DNS if you don’t trust your ISP to be competent.
  7. Save and close the windows.
  8. Toggle enable networking on and off via right clicking the network manager applet.
  9. You should now have your static ip.

How to get Tutanota working in a fedora-36-minimal qube

I initially spent a very long time trying to get the Tutanota flatpak working (which is officially supported, albeit reluctantly.) However try as I might I couldn’t get it to play nice with gnome-keyring. Even with seahorse and gnome-keyring-pam installed it couldn’t store both its keys in any keyring. I think this is more of an issue with the current flatpak then my setup, so I’ve been forced to fall back to the publisher-recommended AppImage instead. But the AppImage autoupdates quite nicely, so its no great loss.

Instructions

  1. Install a minimal fedora template via the official instructions: Minimal templates | Qubes OS
  2. Use “Qubes Update” and “Enable update for qubes without known available updates” to update your new minimal template.
  3. Clone/rename the minimal template using “Qube Manager”
  4. launch a root teminal for the template using “Terminal Emulator”
    qvm-run -u root [TEMPLATE NAME] xterm
  5. In the newly opened xterm terminal install gnome keyring and the qubes networking agent. (And optionally notification daemon):
    sudo dnf install gnome-keyring
    sudo dnf install qubes-core-agent-networking
    sudo dnf install notification-daemon (Only required if you want to see notifications from Tutanota)
  6. Close your terminals and shut down your template qube using “Qube Manager”
  7. Make a new AppVM qube which uses your new template using “Qube Manager”
  8. In whatever qube you use for internet browsing download the Tutanota appimage from their official website.
  9. Open your file browser, right click the downloaded appimage and use “Copy to Other AppVM” to send the appimage to the AppVM you just created.
  10. Run terminal (Xterm) in your new AppVM
  11. Running your applications from inside the “Qubes Incoming” folder strikes me as a bad idea, so move your AppImage into home
mv QubesIncoming/[VM-you-downloaded-it-in]/tutanota-desktop-linux.appimage $HOME
  1. Close your current terminal and launch a root teminal from dom0 (Termimal Emulator) for your app vm
    qvm-run -u root [APPVM-NAME] xterm
  2. Make the appimage executable
    sudo chmod +x /home/user/tutanota-desktop-linux.AppImage
  3. Close the root terminal you launched (and dom0 which launched it) then open a normal instance of xterminal in your appvm
  4. Run the app image
    ./tutanota-desktop-linux.AppImage
  5. In the “Choose password for new keyring” window that opens, leave both the password and confirm fields empty and click continue
  6. In the “Store passwords unencrypted” window click continue.
    (IMO there’s no harm in this, you have to unlock the keychain to use it even if it is unencrypted, at which point your login token would be just as vulnerable to exploits in the tutanota app as it is via the unencrypted approach. By default in qubes your entire-OS should be encrypted and be utilized by a single user, so encrypting that token is fairly pointless in our case. If you do choose to encrypt it you’ll have to unlock the keychain every first app launch in the qube session, which will suck.)
  7. In the desktop integration window tick don’t ask again for this file and click yes
  8. In “Qube Manager” open the settings for you new app qube, refresh its applications. Tutanota Desktop should now be available there.
  9. While you’re in settings consider increasing your private storage max size to accommodate your inbox.
  10. You should now be able to launch a working version of Tutanota.

Installing discord in a fedora minimal template (Via flatpak, because the official download’s auto updates suck)

Instructions

  1. Install a minimal fedora template via the official instructions: Minimal templates | Qubes OS
  2. Use “Qubes Update” and “Enable update for qubes without known available updates” to update your new minimal template.
  3. Clone/rename the minimal template using “Qube Manager”
  4. launch a root teminal for the template using “Terminal Emulator”
    qvm-run -u root [TEMPLATE NAME] xterm
  5. In the newly opened xterm terminal install gnome keyring,qubes networking agent and pulseaudio. (And optionally notification daemon):
    sudo dnf install gnome-keyring
    sudo dnf install qubes-core-agent-networking
    sudo dnf install pulseaudio-qubes –allowerasing (You need to let it erase the stuff already there blocking the install)
    sudo dnf install notification-daemon (Only required if you want to see notifications from discord)
  6. Close your terminals and shut down your template qube using “Qube Manager”
  7. Make a new appVM (that uses the template you just made), increase its private storage max size to 3 gb.
  8. Launch a terminal in your new appVM
  9. Add the flathub repo
flatpak --user remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
  1. Install discord from flathub
flatpak --user install flathub com.discordapp.Discord
  1. type y to install required runtimes
  2. type y to proceed
  3. after install completes close your terminal
  4. Refresh applications using your appVm’s settings in Qube Manager, add discord to your selected apps.
  5. Launch discord
  6. Assign your mic to your appvm in qubes devices toolbar widget
  7. In dom0 “audio mixer” / “Volume control” make sure Port in input device is set correctly and you can see the bottom line moving up and down as you talk. Then in recording tab make sure your app is set to built-in audio analogue stereo (assuming you’re using an audio jack.).
  8. You should now be good to go, you’ll have to repeat steps 16 and 17 most times you launch discord.

If you want to get discord to automatically install flatpak updates pre-launch (rather then relying on you to check and install them manually,) then also do the following:

  1. copy /home/user/.local/share/flatpak/app/com.discordapp.Discord/x86_64/stable/active/export/share/applications/com.discordapp.Discord.desktop to /usr/share/applications
  2. Rename it update-then-discord.desktop
  3. open the .desktop file and change its name line to “Update Then Discord”
  4. edit the exec line so it’s
sh -c "flatpak update -y; /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=discord com.discordapp.Discord"
  1. refresh applications, replace discord with Update Then Discord

How to get Zulucrypt to work from a fedora-36-minimal template

Credits goes to

Roland Rutschmann - Bug #1880295 “zulucrypt-gui asks for root rights” : Bugs : zulucrypt package : Ubuntu

Instructions

  1. Install it the same way you’d install anything on a mimial template.

  2. Edit: /usr/share/polkit-1/actions/org.zulucrypt.zulupolkit.policy (you’ll need root)

  3. Change <allow_active>auth_admin</allow_active> to <allow_active>yes</allow_active>

I’ve also had a issues trying to open veracrypt files with image keyfiles which I resolved by removing their keyfile requirements, just worth noting in the unlikely case that somebody else runs into the same problem.

Getting Files/Nautilus to launch in a different folder

Credits goes to

Enmus - Starting/launching an application with arguments/parameters (qvm-run) - #6 by enmus

Instructions

  1. Edit /user/share/applications/org.gnome.Nautilus.desktop inside your qube which launches Nautilus.

  2. Add your desired “launch folder” to the end of the “Exec=” line.
    (E.g. nautilus /home/user/temp)

  3. Change “DBusActivatable=true” to “DBusActivatable=false

Unfortunately this will also result in the Qubes domain Open File Manager option from the toolbar/panel opening two windows, I haven’t figured out how to solve this one yet.

Hello, first of all, great guides, I’m sure a number of users will benefit greatly from clear instructions.

I’d like to make a few comments if you don’t mind:

1 - Wouldn’t it be better to have these split up in separate, more easily searchable, threads? Perhaps @deeplow can help with that. Splitting them could also be beneficial when questions about the various guides start popping up.

2 - To edit files with an editor when sudo privileges are required, it’s actually preferred to use sudoedit. You may have to set the SUDO_EDITOR variable if you want to change your editor to, let’s say nano. This can easily be done by adding the variable to /etc/environment.
Read more about sudoedit here: sudoedit(8) - Linux manual page

3 - In this case it’s preferred to remove the rhgb parameter from /etc/default/grub and then regenerate the grub configuration file:

$ sudo sed -i 's/rhgb //g' /etc/default/grub
$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg
1 Like

Hi,

No worries, feedback very welcome.

1- Given how many of these I have I figured posting in different threads would be more like some kind of horrific spam attack. I’ll also probably stand a better chance of maintaining these if there all in one place. But I admit its not ideal. For now I’m going to keep going before I loose my flow, but I’m open to reformatting in the future when I have time.

2 & 3 - Good points, I’ll try and incorporate them in my post at some point, but its gonna take some thought and I gotta finish my list first.

How to get rid of the home, documents etc folders in the sidebar of the gnome file browser (Nautilus) in a debian qube

Instructions

In the file $HOME/.config/user-dirs.dirs change all the directories to be equal to “$HOME”

How to open all files in disposable qube

Instructions

  1. Just follow deeplow’s excellent guide here: Opening All Files in Disposable Qube

  2. Remove inode/directory from that guide’s mimeapps list or the Qube Domains Open File Manager option from the toolbar/panel will stop working.

How to change what application your disposable qube opens things in

Instructions

  1. In your disposable Qube’s template (The AppVM, not the actual template) edit
    /home/user/.local/share/applications/mimeapps.list

  2. In the file you’ll need to type the mimetype of the kind of file your opening in your disposible qube on the left. Deeplow’s mimeapps.list file here can serve as a good comprehensive reference for what mimetypes exist: https://raw.githubusercontent.com/freedomofpress/securedrop-debian-packaging/2dcb936f07773dfe643b1730d717a188728dd79c/securedrop-workstation-config/mimeapps.list.sd-app

  3. Then type an equals sign.

  4. Then type the name of the .desktop file for the application you want to open that filetype in. You can get these names from /usr/share/applications

  5. Then finish with a semicolon, add more lines for any other filetypes you want to handle.

Adding new search engines to firefox in a disposable qube’s template without taking it online

IMPORTANT - My approach below is seriously flawed if your worried about fingerprinting, see:

I’ll revisit the instructions below at some point in the future, or defer entirely to BEBF738VD guide (I haven’t read it yet :wink: )

Instructions

  1. Using the qube manager remove the NetVM from your Disposible Template (That’s the AppVM one, not its TemplateVM.)

  2. Launch it and run firefox.

  3. Follow jscher2000’s excellent guide in the first response of this support thread: Set up custom default search URL | Firefox Support Forum | Mozilla Support

  4. Shut down your qube.

  5. Restore its NetVM.

Sidenote: Startpage is, as you might expect given its name, a pretty good startpage. It provides a URL based (no cookies required) way to set your preferences you can manipulate without having to take firefox online (Startpage - Private Search Engine. No Tracking. No Search History.). Its the best solution for a homepage I’ve found so far since firefox gives you no way to disable “pocket” from its homepage without first going online.

How to make a minimal fedora printing qube for an espon printer without downloading drivers from the manufacturer or exposing its TemplateVM to any network

In my case this was for a Epson Workforce WF-2750. There’s a decent chance this approach won’t work for newer espon printers due to their closed source drivers.

Credit to

Andrewdavidwong and runephilosof here: Contents/network-printer.md at master · Qubes-Community/Contents · GitHub

Instructions

  1. (In dom0 terminal) sudo qubes-dom0-update qubes-template-fedora-36-minimal. This will download a fresh minimal template.
  2. run “Qubes Update”, enable updates for qubes without known avalible updates, and update fedora-36-minimal
  3. rename fedora-36-minimal to fedora-36-minimal-printing in Qube Manager
  4. (In dom0 terminal) qvm-run -u root fedora-36-minimal-printing xterm
  5. A new xterm will open, run the following installation commands in it:
    1. sudo dnf install qubes-core-agent-networking
    2. sudo dnf install qpdfview-qt5 (so you can find and open docs printed as pdf and sent over from other qubes.)
    3. sudo dnf install system-config-printer
    4. sudo dnf install cups
    5. sudo dnf install epson-inkjet-printer-escpr
    6. sudo dnf install epson-inkjet-printer-escpr2 (Optional, may make some newer epson printers work if the previous package didn’t)
    7. close the terminal and shut down the qube (its needs restarting to get the cups services running)
  6. qvm-run -u root fedora-36-minimal-printing xterm again to start the template back up, type
    sudo system-config-printer
    (needs to run as root or you’ll get admin prompts you can’t pass)
  7. In print settings app:
    1. click the add button
    2. open network printer
    3. click LPD/LPR Host or Printer
    4. type your printers ip address into Host (You can get this from your router’s browser interface)
    5. click forward
    6. click Epson
    7. Select your printer make and click forward
    8. Assuming you’re happy with the names, click apply
    9. Click cancel (IE don’t print a test page)
    10. (optional) adjust your printer’s properties - > printer options so “Media size” is set to whatever your printers normal paper size is. Set any other default settings you desire while you’re there.
  8. Create a new qube called “printing” in qubes manager. (AppVM, fedora-36-minimal-printing, sys-firewall)
  9. (more secure, but optional) Change your new qubes settings so its marked as a disposable template and has a firewall rule limiting outgoing connections to your printer’s ip address. Add print settings and qpdfview to its applications.
  10. (optional) Change the default disposible template in which ever qube you do your printing from to your printing qube so you can quickly send your “printed” pdfs to it via right click “view in disposibleVM”

How to get Intellij Ultimate (Snap store) to work in Qubes OS

Instructions

  1. Follow the official Qubes OS instructions here for downloading applications off the snap store: How to install software | Qubes OS
    Except for step 2 you need to use:
    sudo snap install intellij-idea-ultimate --classic
  2. Afterwards intelliji will be installed and visible, but running it will not launch anything.
  3. Copy
    /var/lib/snapd/desktop/applications/intellij-idea-ultimate_intellij-idea-ultimate.desktop
    to
    /home/user/.local/share/applications/
  4. Rename the file . Eg “tweaked-intellij-idea-ultimate.desktop”
  5. Edit .desktop, change the “Name” field to something else, eg “Tweaked Intellij Idea Ultimate”
  6. change the exec field to
    Exec=snap run intellij-idea-ultimate
  7. in qube manager refresh this qubes applications and add “Tweaked IntelliJ Idea Ultimate” or whatever you called it.
  8. Launch from that instead.

How to make Qubes OS usable on 4k displays

Credits goes to

Sven - Does Qubes support 4K displays? - #3 by Sven

Instructions

  1. Follow Sven’s excellent instructions here: Does Qubes support 4K displays? - #3 by Sven (Obviously use /etc /not /etx/ in your debian xresources path)
  2. Change System Tools > Mouse and Touchpad > Theme >Cursor Size. (So your mouse cursor is adjusted like everything else.)
  3. If desired play with your Xfce panel settings to tweak spacing (using separators), sizes and icon sizes/layout within items.

Sidenote: I was aiming for x2 UI resolution and ended up setting my dpi to 192 everywhere and setting mouse cursor size to 48. This isn’t perfect x2 because the spaces between UI elements aren’t always increased, but its entirely usable and quite pretty.

If you also want Intellij Ultimate working at x2 on 4k:

  1. Within Intellij go to Settings > Appearance and Behaviour > Appearance > Use custom font
  2. Double the font resolution in there,
  3. Then go to Editor > Font
  4. Double the Size in there