[Guide] Network Printing using disposable qubes based on Debian-minimal template

Community Guides
1

Introduction:

I have finally succeeded in setting up printing in Qubes OS, and I would like to share my process.

I have created the following:

  • print template based on Debian-11-minimal template with packages installed for printing, scanning, and viewing images and documents

  • disposable template configured for IPPS encrypted printing to my printer

  • named disposable qube based on the disposable template

Below are the two scripts that I made to accomplish this. The scripts were created in dom0 and are meant to be executed in dom0. Please read the comments to understand if and when user action is required, as well as the sections to be edited to your needs.

It is also worth noting that the second script is configured to set the Eye Of Gnome package (eog) as the default program for viewing image files. File types that are not supported by Eye Of Gnome will open in the default image viewer (currently ImageMagick).

Script for creating the template:

#!/bin/bash

SOURCE_TEMPLATE=debian-11-minimal
PRINT_TEMPLATE=deb11-min-print
STORAGE_QUBE=vault

# Clone debian-11-minimal template to make deb11-min-print template:

qvm-clone $SOURCE_TEMPLATE $PRINT_TEMPLATE

# Install necessary packages in deb11-min-print template:

qvm-run -u root --pass-io $PRINT_TEMPLATE 'apt-get install --no-install-recommends cups eog evince gedit ink libusb-0.1-4 nautilus qubes-core-agent-networking qubes-core-agent-passwordless-root simple-scan system-config-printer -y'

# If there are additional drivers required for your printer(s), uncomment the commands below.
#
# Copy any drivers required for your printer(s) from your STORAGE_QUBE specified at the top of this script (adjust commands below to your needs):
#
#qvm-run --pass-io $STORAGE_QUBE 'cat /home/user/printer-drivers/<DRIVER_1>.deb' | qvm-run --pass-io $PRINT_TEMPLATE 'cat > /home/user/Downloads/<DRIVER_1>.deb'
#
#qvm-run --pass-io $STORAGE_QUBE 'cat /home/user/printer-drivers/<DRIVER_2>.deb' | qvm-run --pass-io $PRINT_TEMPLATE 'cat > /home/user/Downloads/<DRIVER_2>.deb'
#
#qvm-run --pass-io $STORAGE_QUBE 'cat /home/user/printer-drivers/<DRIVER_3>.deb' | qvm-run --pass-io $PRINT_TEMPLATE 'cat > /home/user/Downloads/<DRIVER_3>.deb'
#
# Install printer drivers (adjust commands below to your needs):
#
#qvm-run -u root --pass-io $PRINT_TEMPLATE 'dpkg -i --force-all /home/user/Downloads/<DRIVER_1>.deb'
#
#qvm-run -u root --pass-io $PRINT_TEMPLATE 'dpkg -i --force-all /home/user/Downloads/<DRIVER_2>.deb'
#
#qvm-run -u root --pass-io $PRINT_TEMPLATE 'dpkg -i --force-all /home/user/Downloads/<DRIVER_3>.deb'
#
# Remove any driver deb files from the Downloads directory:
#
#qvm-run -u root --pass-io $PRINT_TEMPLATE 'rm -r /home/user/Downloads/*'

# Shutdown deb11-min-print:

qvm-shutdown --wait $PRINT_TEMPLATE

Script for creating the disposable template and a named disposable qube:

#!/bin/bash

PRINT_TEMPLATE=deb11-min-print
DISPOSABLE_PRINT_TEMPLATE=sys-print-template
DISPOSABLE_PRINT_QUBE=sys-print
STORAGE_QUBE=vault
NETWORK_QUBE=sys-firewall

# Create disposable template based on deb11-min-print:

qvm-create --class AppVM --template $PRINT_TEMPLATE --prop autostart=false --prop audiovm="" --prop netvm=$NETWORK_QUBE --prop template_for_dispvms=true --prop maxmem=0 --prop memory=400 --label gray $DISPOSABLE_PRINT_TEMPLATE

# Enable the appmenus-dispvm feature for the disposable template and add the Document Scanner application (simple-scan):

qvm-features $DISPOSABLE_PRINT_TEMPLATE appmenus-dispvm 1

qvm-features $DISPOSABLE_PRINT_TEMPLATE menu-items simple-scan.desktop

# If you have the Qubes App Menu (qubes-app-menu) installed and would like to add the Document Scanner application to the favorites tab, uncomment the command below:

#qvm-features $DISPOSABLE_PRINT_TEMPLATE menu-favorites @disp:simple-scan

# Restrict the disposable template to local network access using firewall rules (adjust for your own network):

qvm-firewall $DISPOSABLE_PRINT_TEMPLATE del --rule 0

qvm-firewall $DISPOSABLE_PRINT_TEMPLATE add accept 10.0.0.0/24

qvm-firewall $DISPOSABLE_PRINT_TEMPLATE add drop

# If you would like to install one or more self-signed certificates generated by your printer(s) in order to use IPPS encrypted printing, uncomment the commands below.
#
# Copy any certificates for your printer(s) from your STORAGE_QUBE specified at the top of this script (adjust commands below to your needs):
#
#qvm-run --pass-io $STORAGE_QUBE 'cat /home/user/printer-certs/cert.crt' | qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'cat > /home/user/Downloads/cert.crt'
#
# Move certificate(s) to the proper directory for importing:
#
#qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo mv /home/user/Downloads/* /usr/local/share/ca-certificates/'
#
# Import certificate(s):
#
#qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo update-ca-certificates'

# Start the system-config-printer application with root permissions in disposable template:

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo system-config-printer'

# Follow the instructions below to manually configure your printer(s):
#
# Click the "Add" button in the system-config-printer toolbar to begin adding your printer.
#
# For IPPS encrypted printing, input the following into the text field titled "Enter device URI":
#
# ipps://<PRINTER_IP_ADDRESS>:443/ipp
#
# For standard IPP unencrypted printing:
#
# ipp://<PRINTER_IP_ADDRESS>:631/ipp
#
# Click the "Forward" button on the bottom right of the window in order to proceed.
#
# Select the proper drivers for your printer and click the "Forward" button.
#
# Verify that the proper drivers have been selected and click the "Forward" button again.
#
# For IPPS encrypted printing, edit the top text field to match exactly the expected short name of your printer.
#
# For standard IPP unencrypted printing, this is unnecessary.
#
# Optionally edit the Description and Location text fields to your preference and click "Apply" on the bottom right of the window in order to finish adding the printer.
#
# When a window appears with a prompt asking "Would you like to print a test page?" click "Cancel".
#
# Double-click the new printer item in the system-config-printer application or right-click (secondary-click) the item and select Properties, in order to verify that the information has been correctly applied.
#
# Click "OK" or "Cancel" to close the Properties window.
#
# Add any additional printers using the instructions outlined above.
#
# Finally, close the system-config-printer application window.

# Set Eye Of Gnome (eog) as the default application to open all file types that are supported:

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "[Default Applications]\nimage/ani=org.gnome.eog.desktop" > /home/user/.config/mimeapps.list'

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/avif=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/bmp=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/gif=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/ico=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/jpeg=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/pcx=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/png=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/pnm=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/ras=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/svg=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/tga=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/tiff=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/wbmp=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/webp=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/xbm=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/xpm=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'

# Create /rw/config/qubes-bind-dirs.d/ directory:

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo mkdir -p /rw/config/qubes-bind-dirs.d'

# Make /rw/bind-dirs/ sub-directory for /etc/cups/ directory:

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo mkdir -p /rw/bind-dirs/etc/cups/'

# Copy entire contents of /etc/cups/ directory into the corresponding /rw/bind-dirs/etc/cups/ directory:

qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo cp -r /etc/cups/* /rw/bind-dirs/etc/cups/'

# Create 50_user.conf file in /rw/config/qubes-bind-dirs.d/ directory and add the appropriate information for /etc/cups/ directory:

qvm-run -u root --pass-io $DISPOSABLE_PRINT_TEMPLATE "sudo echo -e binds+=\( \'/etc/cups/\' \) > /rw/config/qubes-bind-dirs.d/50_user.conf"

# If you have installed one or more certificates in order to use IPPS encrypted printing, uncomment the commands below.
#
# Make /rw/bind-dirs/ sub-directory for /etc/ssl/certs/ directory:
#
#qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo mkdir -p /rw/bind-dirs/etc/ssl/certs/'
#
# Make /rw/bind-dirs/ sub-directory for /usr/local/share/ca-certificates/ directory:
#
#qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo mkdir -p /rw/bind-dirs/usr/local/share/ca-certificates/'
#
# Copy your certificate(s) from /etc/ssl/certs/ directory into the corresponding /rw/bind-dirs/etc/ssl/certs/ directory (copy and edit this command for additional certificates):
#
#qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo cp -r /etc/ssl/certs/<YOUR_CERTIFICATE.pem> /rw/bind-dirs/etc/ssl/certs/'
#
# Copy your certificate(s) from /usr/local/share/ca-certificates/ directory into the corresponding /rw/bind-dirs/usr/local/share/ca-certificates/ directory (copy and edit this command for additional certificates):
#
#qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo cp -r /usr/local/share/ca-certificates/<YOUR_CERTIFICATE.crt> /rw/bind-dirs/usr/local/share/ca-certificates/'
#
# Edit 50_user.conf file in /rw/config/qubes-bind-dirs.d/ directory to add the appropriate information for your certificate(s) located in /etc/ssl/certs/ (copy and edit this command for additional certificates):
#
#qvm-run -u root --pass-io $DISPOSABLE_PRINT_TEMPLATE "sudo echo -e binds+=\( \'/etc/ssl/certs/<YOUR_CERTIFICATE.pem>\' \) >> /rw/config/qubes-bind-dirs.d/50_user.conf"
#
# Edit 50_user.conf file in /rw/config/qubes-bind-dirs.d/ directory to add the appropriate information for your certificate(s) located in /usr/local/share/ca-certificates/ (copy and edit this command for additional certificates):
#
#qvm-run -u root --pass-io $DISPOSABLE_PRINT_TEMPLATE "sudo echo -e binds+=\( \'/usr/local/share/ca-certificates/<YOUR_CERTIFICATE.crt>\' \) >> /rw/config/qubes-bind-dirs.d/50_user.conf"

# If your printer has scanning functionality that must be activated, uncomment and edit the command below so that the necessary command(s) for your printer/scanner are executed when a disposable print qube starts.
#
# Edit /rw/config/rc.local file to add scanner activation command (example for Brother printer/scanner devices):
#
#qvm-run -u root --pass-io $PRINT_TEMPLATE "sudo echo -e 'sudo brsaneconfig5 -a name=<PRINTER_MODEL_NAME> model=<PRINTER_MODEL_NAME> ip=<PRINTER_IP_ADDRESS>' >> /rw/config/rc.local"

# Shutdown the disposable template:

qvm-shutdown --wait $DISPOSABLE_PRINT_TEMPLATE

# If you would like the "View In DisposableVM" feature to open the selected file in a disposable print qube, uncomment the command below. This makes printing quicker and more convenient. Simply right-click (secondary-click) any file in any qube, select the "View In DisposableVM" option, and then print the file using either a keyboard command (Ctrl+P) or other option in the program displaying the file. This feature will not work for any qubes that you have manually configured to use a different disposable qube than the system default.
#
# Set the disposable template as default disposable template:

#qubes-prefs default_dispvm $DISPOSABLE_PRINT_TEMPLATE

# Create a named disposable service qube based on the disposable template:

qvm-create --class DispVM --template $DISPOSABLE_PRINT_TEMPLATE --prop autostart=false --prop audiovm="" --prop netvm=$NETWORK_QUBE --prop maxmem=0 --prop memory=400 --label gray $DISPOSABLE_PRINT_QUBE

# Disable the appmenus-dispvm feature for the named disposable qube

qvm-features $DISPOSABLE_PRINT_QUBE appmenus-dispvm ''

# If you have the Qubes App Menu (qubes-app-menu) installed and would like to add the Document Scanner application to the favorites tab, uncomment the command below:

#qvm-features $DISPOSABLE_PRINT_QUBE menu-favorites simple-scan

After creating the qubes:

After executing the scripts, I then added a Launcher item into the Panel to open the Document Scanner application (simple-scan) in the named disposable sys-print qube with the Launcher item set to execute this command:

qvm-run -q -a --service -- sys-print qubes.StartApp+simple-scan

I also added a Launcher item to start the sys-print qube:

qvm-start --quiet sys-print

Even though the Qui-domains widget in the Panel has options to open a file manager, run a terminal command, and shutdown qubes, I prefer having a set of Launcher items for my named disposable sys-* qubes.

Launcher item to shutdown the sys-print qube:

qvm-shutdown --wait sys-print

Launcher item to open the file manager application (Nautilus) in the sys-print qube:

qvm-run -q -a --service -- sys-print qubes.StartApp+org.gnome.Nautilus

Launcher item to open the terminal application (XTerm) in the sys-print qube:

qvm-run -q -a --service -- sys-print qubes.StartApp+debian-xterm

Conclusion:

With all of this accomplished, I can now do the following:

  • Right-click (secondary-click) a file in any qube, select the “View In DisposableVM” option to open the file in a disposable print qube, and then print the file using Ctrl+P.

  • Click the Document Scanner Launcher item in the Panel, scan documents in the named disposable sys-print qube and then close the Document Scanner without having the qube automatically shutdown and deleted. Open the file manager by using the Launcher item in the Panel or by using the Qui-domains widget, and then transfer the files to another qube. When transferring files from the named disposable sys-print qube to another qube, they will always appear in the /home/user/QubesIncoming/sys-print/ directory.

  • Click the Document Scanner item in the Qubes App Menu, scan documents in the disposable qube, open the file manager using the Qui-domains widget in the Panel, transfer the files to another qube, and then close the Document Scanner so that the disposable qube is automatically shutdown and deleted. The transferred files will appear in a subdirectory of /home/user/QubesIncoming/ with the randomly generated name of the disposable qube.

  • Add printer(s) for temporary use in the named disposable sys-print qube by doing the following:

    1. Edit qvm-firewall rules for the sys-print qube if on a different subnet (example: public library) by executing the following commands in the dom0 terminal:

      • qvm-firewall sys-print del --rule 1

      • qvm-firewall sys-print add accept <SUBNET>

      • qvm-firewall sys-print add drop

    2. Download any needed drivers for the new printer(s) using an internet-connected qube.
    3. Copy the drivers to the sys-print qube and install them.
    4. Open the terminal application (XTerm) in the sys-print qube by using the Launcher item in the Panel or by using the Qui-domains widget.
    5. Execute this command in the sys-print terminal:

      • sudo system-config-printer.

    6. Add new printer(s).
    7. When done printing/scanning, shutdown the sys-print qube.
    8. If you added a firewall rule and would like to remove it, execute this command in the dom0 terminal:

      • qvm-firewall sys-print del --rule 1

I think that I have finally finished editing this post to make corrections. If you notice a mistake or have a suggestion for a better way of doing something in this guide, please reply to this post with your correction/suggestion.

Final Edit: I replaced the qvm-copy commands with cat commands in order to remove the need for user action.

Actual Final Edit: At the end of the second script, I added an optional command which adds an item to the Qubes App Menu to start the Document Scanner in the named disposable sys-print qube.

6 Likes