Clearly this doesn’t work on a TemplateVM with no NetVM. I’ve tried cloning my fedora-33 and allowing network access and obviously the script works, but then Joplin doesn’t appear under the Applications list in the TemplateVM Qube Settings.
If I go to github, there is an AppImage listed. If I download this in the cloned TemplateVM and then add it to /usr/share/applications, Joplin appears in the Applications list in the TemplateVM Qube Settings.
However, no “joplin.conf” type file is located in ~/.config/, and there should be one there. I think this is because of the way I have added the AppImage.
Does Qubes provide a way to get AppImages correctly installed? Or would there be a way to use the first script and have it appear in my Applications list?
I don’t really have much time right now but I think I have an idea on why it is not working for you.
If you look at the shell script (which you should always do before running anything in your VMs!) you can see that it installs the AppImage as well and stores the relevant desktop file in ~/. local/share/applications.
This is a major difference to your approach, in which you manually stored your file in /usr/share/applications.
I don’t really have much experience with adding .desktop files in TemplateVMs but I suggest you could see Managing AppVm Shortcuts | Qubes OS for more details.
The easiest solution probably is to copy the .desktop file to /usr/share/applications after you set everything up.
This is really one of those situations in which I would recommend creating a fedora-33-based StandaloneVM instead. It’s super easy to create a standalone. All you have to do it open “Create Qubes VM” from the menu and then on the type select `Standalone qube copied from a template". With that you will be able to install AppImages just like on any regular system.
The difference is that this VM is fully persistent. That means it will not have the security property of templates:
Security: Each qube has read-only access to the TemplateVM on which it’s based, so if a qube is compromised, it cannot infect its TemplateVM or any of the other qubes based on that TemplateVM.
But given the risks of installing it through a random bash script off the internet, I’d say it is justified as long as you limit your usage of this qube to the use of that one application.
edit: as noted bellow StandaloneVMs consume more system resources, namely:
storage - since they don’t share storage with the template nd (2)
time - each time you run the qubes updater widget this qube has to be updated independently
Wget in a template?
Remember that there is a proxy in templates, which you use to perform
updates.
You can have wget use that same proxy by creating a file, ~/.wgetrc:
use_proxy = on
http_proxy = 127.0.0.1:8082
https_proxy = 127.0.0.1:8082
Then your wget commands will work fine.
You can use that proxy to get all sorts of stuff in to a template
including PGP keys.
Running bash scripts in templates.
I would never simply pipe a downloaded script to bash.
Download it, inspect it, and then run it once you know what it will do.
So: wget https://raw.githubusercontent.com/laurent22/joplin/dev/Joplin_install_and_update.sh
and then: bash Joplin_install_and_update.sh
getting stuff from ~ in a template to an AppVM? /home/user/ in a template is not copied in to AppVMs - in this case,
the install is to /.home/user/.joplin in the template.
You need to copy that to /etc/skel in the template.
Now AppVMs created using that template will pick up .joplin in
/home/user
How to add items to the Application list?
There’s a page for that in the docs - https://qubes-os.org/doc/managing-appvm-shortcuts/
I would probably add a menu item for the qube you are using it in,
rather than the template, but your use may differ.
I ended up making a standalone VM for Joplin-- least effort and no worrying about whether a .conf somewhere will be persistent or not (although this does take up more system resources).
I created the ~/.wgetrc file as instructed to download oh-my-zsh in the whonix-ws-15 template, after first reading through install.sh: sh -c "$(wget -O- https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
I get the error: wget: Unknown command ‘user_proxy’ in /home/user/.wgetrc at line 1.
When I wget the script in another VM and run it in the template with bash install.sh I get this network error: fatal: unable to access 'https://github.com/ohmyzsh/ohmyzsh.git/': Could not resolve host: github.com Error: git clone of oh-my-zsh repo failed
Why is the .wgetrc file not working to access the proxy? Any tips to allow the git clone in the script to also work?
Does it add any security to comment-out the lines in both .gitconfig and .wgetrc, and only temporarily uncomment for specific commands?
A related question about /etc/skel ; the install.sh for oh-my-zsh creates ~/.oh-my-zsh/ (the git clone) and .zshrc. I could manually copy both to /etc/skel but after every update I would need to do the same thing. Is there a more elegant solution? Would it work to symlink both, i.e. /etc/skel/.zshrc to ~/.zshrc ?
If a symlink would work, whenever oh-my-zsh has an update I can do it in the template, and not mess up the git clone directory by copying it to /etc/skel/
Does it add any security to comment-out the lines in both .gitconfig and .wgetrc, and only temporarily uncomment for specific commands?
Probably not, but you might feel safer.
Any attacker who identifies Qubes and can access a template will know
they can use the proxy.
A related question about /etc/skel ; the install.sh for oh-my-zsh creates ~/.oh-my-zsh/ (the git clone) and .zshrc. I could manually copy both to /etc/skel but after every update I would need to do the same thing. Is there a more elegant solution? Would it work to symlink both, i.e. /etc/skel/.zshrc to ~/.zshrc ?
If a symlink would work, whenever oh-my-zsh has an update I can do it in the template, and not mess up the git clone directory by copying it to /etc/skel/
I doubt a symlink will work because it will be broken in the AppVM, but
you could try.
Since the installer is a script, I’d be amazed if you didn’t have the
option to install where you want. And, yes you do - look at the script
and you’ll see you can call it with ZSH=/etc/skel/.zsh sh install.sh
ZSH is an environment variable with path to the repository folder.
You’d have to deal with .zshrc yourself.
For anyone trying to do the same, I needed to run sudo ZSH=/etc/skel/.zsh sh install.sh to have permission to create a file in /etc/skel. Also I needed to set a global git configuration for the proxy, i.e./etc/gitconfig.
Is creating a new Qube the only way for /etc/skel/ to be applied ? Namely, there is no way for a change of /etc/skel in the template to impact a previously created Qube?
