Kuhbs - a tool designed to make automating the setup of Qubes OS easy

To quote unman from his website qubes.3isec.org/tasks.html: “There’s a long standing issue that Qubes users face: installing software and setting up new
qubes. New users in particular find this difficult to deal with.”

I created a tool called kuhbs to address the issue of “comfortably automating the setup of Qubes OS workstations”.

Here is a short demo video of it “installing / managing firefox”: https://www.youtube.com/watch?v=f5hPA3cLa_8 (just updated the vid)

and a small funny website: https://kuhbs.com inluding the documentation: kuhbs documentation

and of course the source: GitHub - Blunix-GmbH/kuhbs-for-qubes: kuhbs, a auto provisioning and management script for Qubes OS

Please take the current state of the tool as “public beta”. Currently I need someone who is willing to try it out.

Any questions and feedback are highly appreciated! To anyone who wants to try it and might need live support for installation and use, I’ve created a channel in matrix: @kuhbs:matrix.org

4 Likes

i tried to read it and didn’t understand it which means i am probably the sort of user this is intended for

is there video not on YouTube? i don’t trust their javascripts and even with whonix they try to do so many strange tracking things, i don’t trust them

if this is a tool to use pre-made scripts to do things (like do what is in community guide) that is very good

one thing i don’t like about in firefox is it’s in all the templates and if click the wrong thing it tries to open firefox which by default has ad partners and telemetry and may be logging things about me

i wish there were a script to always remove firefox from every template and replace it with librewolf or just refuse to open http links.

there was also discussion about all the programs in templates and how it would be nice if there was way to automate just saving a list of that. if this program can do that, it’s good.

for beta testing, do you move directory into dom0 and just run /default.sh?

there’s no hash to check before moving it into dom0, reading all the code and confirming it’s not modified is hard

i don’t like matrix, they don’t protect users enough in some ways

i tried to install sys-audio myself and it didn’t work. it would be nice if there had been .sh script for that

i would like if qubes had more screen savers.

Sometimes I am creating a public key or private key in a VM. I wish I could store those all in a different way so I’d be less likely to lose them. They aren’t things that are good to lose. There’s a split something in Qubes but I don’t know if it’s for this or how to use it.

i am not sure if this is what this does.

One day I was tired of Windows and so I typed into Yandex “what is best linux operating system”? and the answer was Qubes so that’s what I download and installed

Does this pull scripts from github? Are they imported every time? Does always run in the background like a service? Are there any risks in using it and would it increase surface for attack?

I would like script so I can use other VMs inside VMs

I would like script to create fake drive of 1 GB to transfer files to and from StandAlone VMs since not sure how to get files in and out by adding Xen drivers… probably impossible

i tried to read it and didn’t understand it which means i am probably the sort of user this is intended for

yes, exactly :wink: did you read the forum post or the website / documentation? what wasn’t clear enough? I’m eager to make it everything end user friendly.

is there video not on YouTube? i don’t trust their javascripts and even with whonix they try to do so many strange tracking things, i don’t trust them

Thats the spirit. I’m about to create a new one the next days, I’ll add a download link here.

if this is a tool to use pre-made scripts to do things (like do what is in community guide) that is very good

In the end I want you (the enduser) to be able to:

  • read the website / documentation / watch a video for like 15 minutes
  • then be able to create your own kuhb where you setup a simple config.sh file and then just copy paste the install instructions of your favorite tool into a script and then say kuhbs create myapp
  • install pre-prepared kuhb’s (notice the >'<, one kuhb, two kuhb’s), for example to run firefox, or thunderbird, or split-whatever, or to “spawn” a chain of network VMs with wireguard, apt-cacher-ng, what not

kuhbs has additional features things like backups, upgrades, what not.

one thing i don’t like about in firefox is it’s in all the templates and if click the wrong thing it tries to open firefox which by default has ad partners and telemetry and may be logging things about me

I’d recommend librewolf. If I find people to help me test / work on kuhbs, that would be a kuhbs install librewolf :wink:

i wish there were a script to always remove firefox from every template and replace it with librewolf or just refuse to open http links.

If you can do that modification on the command line / in bash, you can build a kuhb for it and publish it :wink:

there was also discussion about all the programs in templates and how it would be nice if there was way to automate just saving a list of that. if this program can do that, it’s good.
for beta testing, do you move directory into dom0 and just run /default.sh?

defaults.sh is the main config file: kuhbs Arguments and Commands

The documentation starts with “what is kuhbs” before the installation instructions. I’d recommend to try and read it - if its not clear pls let me know, I’ll see to optimize it. The ideal way to “start” would be just to go to kuhbs.com and “follow the flow” - and ofc report if its not clear.

there’s no hash to check before moving it into dom0, reading all the code and confirming it’s not modified is hard

I think a git clone from github is secure enough for now. I say “read the code” because reading the code is somewhat of a feature of kuhbs. I tried to fill the code with a fair amount of comments so its more easy to read even if you are not into coding.

i don’t like matrix, they don’t protect users enough in some ways

The forum is a very welcome place too. If you pm me I can offer signal as well.

i tried to install sys-audio myself and it didn’t work. it would be nice if there had been .sh script for that

Thats a good usecase for a kuhb.

i would like if qubes had more screen savers.

Thats a good usecase for a tutorial :wink:

Sometimes I am creating a public key or private key in a VM. I wish I could store those all in a different way so I’d be less likely to lose them. They aren’t things that are good to lose. There’s a split something in Qubes but I don’t know if it’s for this or how to use it.
i am not sure if this is what this does.

Well kuhbs is not only a “install tool” script, but more of a “setup my qubes from scratch” tool. If a kuhb has backups present, they are automatically restored during kuhbs create mykuhb.
Split ssh is a VM that stores the (you mean ssh? wireguard? gpg?) private key and if a VM wants access to it, you have to confirm that in dom0 (like when you copy a file to another VM). That has nothing to do with backups or “loosing” the key.

Does this pull scripts from github? Are they imported every time?

You download only the code in the kuhbs repo itself. The code runs in dom0, which has no internet access, and hence it does not download anything.

I want to implement a feature to install kuhb’s other people created, something like: kuhbs install github.com/foobar/my-fancy-kuhb.git
But thats not usable yet.

Does always run in the background like a service?

No, it does not create any systemd services in dom0, its just a BASH script.

Are there any risks in using it and would it increase surface for attack?

So far I am the only one who has read the code. Somebody else should read it, thats why the git repo says in large letters NOT FOR PRODUCTION at the moment.

I would say using kuhbs decreases the risk for the user. It is a better approach for experienced qubes users to define how an application is run on Qubes than it is to try to teach endusers how to do that. Everything kuhbs does can be done in Saltstack, but configuring that is much more complex. Kuhbs aims to be easy to understand.

I have tried it, At this time, the Kuhbs available are for Replacement of Networking.

I believe part of the stated goal is to allow more ordinary users to create Kuhbs to accomplish specific tasks. As installing third party software inside specific qubes is, for those without a bunch of Linux experience is a big issue, Kuhbs is supposed to be a potential solution. Or someone correct me if I am wrong as to what I thought was a major goal of Kuhbs. Just, I can not comment on the security issues of Networking in Kuhbs, what is better, of if there is another security issue. I do not have any real expertise with Networking…

the Kuhbs available are for Replacement of Networking

I think what you are looking for are the kuhb’s in kuhbs-git-repo/kuhbs-examples/. Right now there should be one called signal for the signal-desktop client.
The doc is reasonably descriptive about the structure of the kuhb’s directory: kuhbs Arguments and Commands

the so called “kuhbs kuhb’s” are for the networking and usb qvm-pci devices, yes I assume there will be more over time.
Those are intended to be “maintained by kuhbs itself” and provide a reasonably secure network with:

  • vpn (wireguard right now)
  • dnscrypt-proxy
  • apt-cacher-ng
  • qvm-firewall VM + logging of dropped packages
  • and so on and so forth… got some plans for this :wink:

the directory kuhbs-git-repo/kuhbs/ should be “populated” by the user in the end, either by reading the doc and creating own kuhb’s or downloading kuhb directories as git repos from other people - I thought about something like kuhbs install github.com/foobar/fancy-kuhb.git or similar.
For example I have an element and a signal kuhb that I can publish but I also have kuhb’s which are totally customized and of no use to anyone else.

I don’t have time to read the code. I think it’s unlikely a bad actor would create a github repository just to exploit me

but there are malicious tor exit nodes

and bad actors who control malicious tor exit nodes

and I don’t entirely trust the https for github

I did not see where the forum was. i would want to compare an SHA-512 or SHA-256 hash before moving something into dom0

compare with what?

I’m happy to create you an archive, like a tar.gz or something, as a release file - but if you can modify a git clone github.com/foo/bar.git then you can modify a wget kuhbs.tar.gz.

I think the installation instructions here kuhbs Arguments and Commands (just noticed the html tilte is wrong, will fix) are reasonably secure. Plus git does the checksum-ing for you: https://guides.codepath.com/websecurity/Checksums#checksums-in-git

I would like to suggest a standard qube to be included to be able install an IP based network printer directly at setup, any USB based printer will most likely be installed through sys-usb anyhow.
regards, hitam

I would like something posted on site that I can reload through multiple Tor exit nodes (to make sure no change in hash value) before moving into dom0. I am probably being paranoid and its not necessary

If you had some scripts that copied community guides ie installing a VPN that would make people more interested. Unman already does some of these things in his tool but if this lets users add their own scripts and then there can be lots of implementations of community guides that are automatic people would really find this useful.

To increase user interest it would be good have some scripts that people want. Are you willing to try to convert some of the community guides to scripts? I am not sure how I would even test this now if there’s only a script to replace networking.

This is an example of something I wish were automated:

I could probably find out how to do it but it would take me 2-4 hours to understand how.

I’m afraid I don’t have access to a printer - give me a month or so to find time for kuhbs again - my idea is to do something like:

kuhbs install https://github.com/foobar/fancy-kuhb.git

this way you can just create one - you will pretty much only need to know all the bash commands to set this up in a template.

kuhbs will not be able to take that out of your hands (unless somebody else already created a kuhb for it) - if you find out how it works, put it into a simple bash script, that’ll be all you need to use it in kuhbs.