1- Given how many of these I have I figured posting in different threads would be more like some kind of horrific spam attack. I’ll also probably stand a better chance of maintaining these if there all in one place. But I admit its not ideal. For now I’m going to keep going before I loose my flow, but I’m open to reformatting in the future when I have time.
2 & 3 - Good points, I’ll try and incorporate them in my post at some point, but its gonna take some thought and I gotta finish my list first.
Sidenote: Startpage is, as you might expect given its name, a pretty good startpage. It provides a URL based (no cookies required) way to set your preferences you can manipulate without having to take firefox online (Startpage - Private Search Engine. No Tracking. No Search History.). Its the best solution for a homepage I’ve found so far since firefox gives you no way to disable “pocket” from its homepage without first going online.
How to make a minimal fedora printing qube for an espon printer without downloading drivers from the manufacturer or exposing its TemplateVM to any network
In my case this was for a Epson Workforce WF-2750. There’s a decent chance this approach won’t work for newer espon printers due to their closed source drivers.
(In dom0 terminal) sudo qubes-dom0-update qubes-template-fedora-36-minimal. This will download a fresh minimal template.
run “Qubes Update”, enable updates for qubes without known avalible updates, and update fedora-36-minimal
rename fedora-36-minimal to fedora-36-minimal-printing in Qube Manager
(In dom0 terminal) qvm-run -u root fedora-36-minimal-printing xterm
A new xterm will open, run the following installation commands in it:
1. sudo dnf install qubes-core-agent-networking
2. sudo dnf install qpdfview-qt5 (so you can find and open docs printed as pdf and sent over from other qubes.)
3. sudo dnf install system-config-printer
4. sudo dnf install cups
5. sudo dnf install epson-inkjet-printer-escpr
6. sudo dnf install epson-inkjet-printer-escpr2 (Optional, may make some newer epson printers work if the previous package didn’t)
7. close the terminal and shut down the qube (its needs restarting to get the cups services running)
qvm-run -u root fedora-36-minimal-printing xterm again to start the template back up, type sudo system-config-printer
(needs to run as root or you’ll get admin prompts you can’t pass)
In print settings app:
1. click the add button
2. open network printer
3. click LPD/LPR Host or Printer
4. type your printers ip address into Host (You can get this from your router’s browser interface)
5. click forward
6. click Epson
7. Select your printer make and click forward
8. Assuming you’re happy with the names, click apply
9. Click cancel (IE don’t print a test page)
10. (optional) adjust your printer’s properties - > printer options so “Media size” is set to whatever your printers normal paper size is. Set any other default settings you desire while you’re there.
Create a new qube called “printing” in qubes manager. (AppVM, fedora-36-minimal-printing, sys-firewall)
(more secure, but optional) Change your new qubes settings so its marked as a disposable template and has a firewall rule limiting outgoing connections to your printer’s ip address. Add print settings and qpdfview to its applications.
(optional) Change the default disposible template in which ever qube you do your printing from to your printing qube so you can quickly send your “printed” pdfs to it via right click “view in disposibleVM”
How to get Intellij Ultimate (Snap store) to work in Qubes OS
Instructions
Follow the official Qubes OS instructions here for downloading applications off the snap store: How to install software | Qubes OS
Except for step 2 you need to use: sudo snap install intellij-idea-ultimate --classic
Afterwards intelliji will be installed and visible, but running it will not launch anything.
Copy
/var/lib/snapd/desktop/applications/intellij-idea-ultimate_intellij-idea-ultimate.desktop
to
/home/user/.local/share/applications/
Rename the file . Eg “tweaked-intellij-idea-ultimate.desktop”
Edit .desktop, change the “Name” field to something else, eg “Tweaked Intellij Idea Ultimate”
change the exec field to Exec=snap run intellij-idea-ultimate
in qube manager refresh this qubes applications and add “Tweaked IntelliJ Idea Ultimate” or whatever you called it.
Change System Tools > Mouse and Touchpad > Theme >Cursor Size. (So your mouse cursor is adjusted like everything else.)
If desired play with your Xfce panel settings to tweak spacing (using separators), sizes and icon sizes/layout within items.
Sidenote: I was aiming for x2 UI resolution and ended up setting my dpi to 192 everywhere and setting mouse cursor size to 48. This isn’t perfect x2 because the spaces between UI elements aren’t always increased, but its entirely usable and quite pretty.
If you also want Intellij Ultimate working at x2 on 4k:
Within Intellij go to Settings > Appearance and Behaviour > Appearance > Use custom font
Be careful, launching firefox in your DispVM-Template is not recommended, since it’ll create a permanent profile that will be subject to profile fingerprinting.
The recommended approach is to create a policies.json file in your TemplateVM that will be used to customize new firefox profiles.
If your Dom0 taskbar/panel seems inexplicably immune to the changes impacting the rest of your Dom0 UI its probably because you didn’t have “save session for future logins” ticked as you logout/restart/shutdown. (So if you’ve previously disabled this via “session and startup” that’s why it isn’t working.) You only need to tick “save session for future logins” once after your change, you can untick it afterwards if you don’t like letting your session save.
Fedora 36 minimal
Changes in Fedora 36 seemingly broke most of the tricks in Anon81475885’s guide so we have to go rogue at this point.
Open a terminal in your AppVM and type: gsettings set org.gnome.desktop.interface color-scheme "prefer-dark"
(That’ll sort out libreoffice, nautilus/files and standard gnome apps like calculator.)
Then create ~/.config/gtk-3.0/settings.ini and make sure it includes:
[Settings]
gtk-application-prefer-dark-theme=1
(That’ll sort out GTK3 apps like xed )
Open a root terminal in your TemplateVM and type: sudo dnf install adwaita-qt5
Then edit your template’s /etc/environment file to include: QT_STYLE_OVERRIDE=adwaita-dark
(That’ll sort out QT5 apps like qpdfview, but they’ll frequently be missing icons – sorry I don’t have a solution for this yet.)
Eeek, good catch! I’ve put a big warning on my post for now, i’ll revisit it or delete it in the future. I’ve been tidying up weeks of notes most the day and I need a break from my own scribblings.
I’m going to appeal for help with something completely unrelated elseware on the forum and call it a day. Thanks for the feedback, please keep it coming if you spot any more issues!
Thanks for sharing notes with us.The others might consider customizing default Firefox this way, not messing with opening it in any template.
Setting non-existing search engine as the default in Firefox can be found in the last post is in the topic from my quote and it’s basically the same you pointed to.
There’s no any flaw. You are mixing two terms: customizing and fingerprinting. I have never spoken about the latter one.
I simply want my Firefox to looks and acts the same way I start it as a regular user who cares about security (by being secure while online, as well as not starting it in any template among other things), not the one who’d want something to hide.
Fingerprinting is completely different topic there, and for it I’d never use Firefox, because fingerprinting is about anonymity and as we all know Qubes is about security. For anonymity, there’s Whonix there, for example…
But let’s not spam the topic, or maybe it’s a good idea people to read this here and to reconsider their deployment scenarios…
You can customize and de-fingerprint simultaneously. I just got a totally disposable browser to come up configured the way I want it, the first time, with no old profile being used; it is, in other words, becoming what I want the first time it’s run. And it has the arkenfox fingerprint stuff and other “hardenings” from his setup.
In short outline:
Create a template with a fresh firefox install on it.
Create a dvm template based on that.
Start up firefox in the dvm template.
Set up firefox the way you like it–do nothing else.
Grab the .mozilla/firefox/aaaaa-/prefs.js file from that machine and copy it somewhere else. The aaaa will be the profile name that firefox set up for you. There will likely be two of them, one will be empty, the other will have -esr in the name.
This file will be full of a lot of cruft, but you can experiment with removing things from it and then dropping it into the same directory on the dvm template (not the disposable) but name it user.js when you do so. Running firefox in disposables should let you see what the effect is.
NB: You cannot set the default browser in this way. The best I was able to do was set up the separate search bar, deactivate searching in the main URL bar, force it to only show my favorite search engine as a suggestion. But in the separate search bar, it still defaults to google. You will have to follow the instructions about policies in the link, and further down in the thread is the actual policy that will finally drive a stake through google.
Thanks. Probably it would help someone. Where it doesn’t suit me is
I never start anything in any qube that is in any way a template, except terminal and file manager.
Above, I explained how to do that by starting it in a dispVM. Get the profile there and do what you like to with it later.
Customizing might contain de-fingerprinting as well. But as I said, I don’t use Firefox in order not to be fingerprinted. I use Firefox when I actually want to be fingerprinted: online banking, logging to trusted sites and services, etc. To do this securely, I set Firefox dispVM with 800MB RAM and run dispVM (Firefox) per site. Separate dispVM (Firefox) is started for searches only (and when search on Google, exclusive dispVM for that). I don’t see a point to harden Firefox in order to log in to bank portal and to a gmail in the same instance of Firefox. I cannot be assured that can be achieved so I assume it is not feasible, thus run separate dipsVMs.
Huh, there’s an edit timer isn’t there? So I can no-longer go back and correct/improve my guides based on feedback?
Well, looks like I didn’t think this through .
Regarding your third point here. I could be mistaken but I think anyone who (like me) has been forced to do the steps outlined in my “How to install Qubes OS when your motherboard hates it” instructions will have a system which bypasses/ignores grub.cfg and skips straight to xen.cfg. (Mostly because that seems to be what the official fix recommends, though I think restoring grub is possible.)
So, (I haven’t tried it,) but I suspect your solution might not work on my system, at least not without me restoring grub first.
Your point regarding sudoedit seems very good to me though and if I could edit my posts i’d be inclined to put that in.
Thanks, sounds promising, I’ll try this out when I get time.
…I should have said, I consider that initial DVM template to be a throwaway–you delete it after you get what you wanted out of it. Which makes that template a de facto disposable. With a dvm template you have the luxury of running it multiple times and tweaking what you did before. But then if you’re going to do that you might as well treat it like an AppVM…which is what it is, in fact, anyway. (That’s why I’m not quite as fussy as you are when it comes to DVM templates–I’m willing to “run” them once or twice for the purposes of making a configuration right though it’s not preferred. Make it a TemplateVM on the other hand, and I go Full Frontal Qubes on people…)
Be that as it may, you could certainly do that step in a DVM itself, but of course you have to grab the files you want before shutting it down!