Mini-templates Required Packages (Wiki)

Continuing the discussion from Automate debian-minimal based template creation:

Betterbird

Qubes OS - minimal installation

Official installation instructions: : Betterbird Downloads
Installation type: Linux Archive (*.tar.bz2)
Qubes OS release : 4.1
Debian release : 11
Required packages :

  • ibxtst6 : unknown
  • llibpci3: unknown
  • libbotan-2-17 : unknown
  • libdbus-glib-1-2 : unknown
  • libevent-2.1-7 : unknown
  • libtspi1 : TPM hardware, key and hash management Package description
  • libgpgme11 : for GPG integration
  • bzip2 : unpacking download file

Comments : bzip2 can be removed afterwards since it is only required to unpack the installation bzip tar.

The archive have to be unpack into /opt.

A desktop shortcut can be added in /usr/share/applications

Optionally, you may want to use split GPG for Betterbird.

Betterbird is a fine-tuned version of Mozilla Thunderbird. Here is an feature overview.

source: Qubes Community post by Sven.

KeePassXC (with Yubikey)

Qubes OS - minimal installation

Official installation instructions: : apt install keepassxc
Installation type: included in debian standard
Qubes OS release : 4.1
Debian release : 11
Required packages :

  • policykit-1 : required YubiKey Challenger Response
  • libblockdev-crypto2 : required YubiKey Challenger Response
  • qubes-usb-proxy : to connect the USB qube (sys-usb, usb-hub etc.) to this AppVM

UI settings (not mandatory) to make KeePassXC looks like the system theme

  • qt5-style-plugins
  • gtk2-engines-murrine
  • QT_QPA_PLATFORMTHEME=gtk2

Comments : It is not mandatory but highly recommended to install KeePassXC on a network off AppVM (vault, secrets etc.). This AppVM is also mostly used for split-GPG and split-SSH. This setup has been tested with Yubikey, it should also work with other hardware token keys (Challenger Response / hmac-sha1 method).

See also Documentation and FAQ - KeePassXC

LibreOffice

Qubes OS - minimal installation

Official installation instructions: :
Installation type:
Qubes OS release : 4.1
Debian release : 11
Required packages :

  • xxx : yyy
  • xxx : yyy

Comments : …

Signal

Qubes OS - minimal installation

Official installation instructions: : Signal - Download for Linux
Installation type: apt repository (requires gpg key)
Qubes OS release : 4.1
Debian release : 11
Required packages :

  • curl : required to download the gpg key for the apt repository

    Remark

    There are many ways to download the apt key.

    • You can either use wget or curl. Both do the download but have a different syntax. It is recommended to use the tool which is used in the official installation instruction.
    • If you are concerned about your security or if you want to keep the installation as small as possible you can i. e. remove curl right after the gpg download or skip the curl installation and do the gpg download in a different AppVM and afterwards move the gpg key to the template VM.
  • qubes-core-agent-networking : to allow internet access

  • qubes-core-agent-nautilus : graphical folder and file view and file operations

  • nautilus : graphical folder and file view and file operations

  • zenity : graphical user dialogs

  • gnome-keyring : gpg key management

  • policykit-1 : …

  • libblockdev-crypto2 : …

  • dunst : for desktop notifications

  • pulseaudio-qubes: Do be able to make audio and video calls

    Remark

    If you just want to do texting you can skip the pulseaudio-qubes package.

Comments : …

Thunderbird

Qubes OS - minimal installation

Official installation instructions: :
Installation type:
Qubes OS release : 4.1
Debian release : 11
Required packages :

  • xxx : yyy
  • xxx : yyy

Comments : …

Yubikey U2F

Qubes OS - minimal installation

Official installation instructions: :
Installation type:
Qubes OS release : 4.1
Debian release : 11
Required packages :

  • xxx : yyy
  • xxx : yyy

Comments : …

Yubikey Manager

Qubes OS - minimal installation

Official installation instructions: :
Installation type:
Qubes OS release : 4.1
Debian release : 11
Required packages :

  • xxx : yyy
  • xxx : yyy

Comments : …

4 Likes

@whoami feel free to edit that wiki. I’ve created a post and moved ownership to you.

2 Likes

Just a quick note that you could instead download the key in a disposable, then copy/paste it into the template, so curl does not have to be installed in the template itself.

2 Likes

In my current automated script I install curl / wget download the apt key and remove curl / wget afterwards.

As I understood @adw, it was about giving an idea to new users, not to argue your choice.

And if someone would ask me to be as picky as possible, once assured about the authenticity of the content of the key whenever that’s possible (in an online qube, of course), after that I’d copy the content to a new file in an offline qube over qrexec, saving it as a key, and then would copy the key from there to a template in order to import it.

I do not know where you have read that I argue against adw’s suggestion. I appreciated his contribution already with a :heart:.

Creating a dedicated displ. curl / wget AppVM for apt-key downloads could also be a solution but these are to early to discuss here in details.

First, I would like to fill the table with examples. Afterwards we can fine tune and discuss some improvements and options to get things done… more efficiently or more secure.

1 Like

Well, i could answer the same way: I do not know where you have read that I wrote that you argued against adw’s suggestion. But i won’t.
Thanks for the rest of your post.

I guess, I found a structure that works. The hidden summary allows to collapse for better search and browsing and the details will only be shown when you click on the arrow.

Any missing attributes?

Hey I liked how you utilized those! Keeps it tidy but also extensible in its content.

1 Like

@adw Who can modify the wiki? Only me and the mods?
Can we open it to other minimal template users to keep it vital (add new programs, improve, correct, verify …)?

I’m not certain. @deeplow?

Nope. Everybody with trust level 1, I think. See more here.

@tanky0u do you have the the minimal configuration for a Monero wallet? If yes, please share / add to the wiki. Thank you

Hmm… Not yet. But that would be a good addition to the wiki.

I did a quick test with:

qubes-core-agent-networking
qubes-core-agent-nautilus
nautilus
zenity

but this was not enough.

I found a lot about the wallet isolation but nothing on a minimal Debian setup.
Let me know when you have a working minimal template (maybe good to start with a non-isolated approach).

1 Like

should --no-install-recommends be advised during installation of packages?

1 Like

Yes, only the main dependencies are installed which is something you would like to do with minimal templates.

If you want to reduce (and customize) the terminal output you can add some additional commands and options. Currently, I am using this for my automated minimal template script:

# reduce terminal outputs
DEBIAN_FRONTEND=noninteractive \
  apt-get \
  -o Dpkg::Options::=--force-confold \
  -o Dpkg::Options::=--force-confdef \
  -y --allow-downgrades --allow-remove-essential --allow-change-held-packages


qvm-apt-install () # (${PROGRAM} is local; ${1} is the template name)
{
	qvm-run --no-gui --pass-io --quiet --user root ${1} \
	"apt install --no-install-recommends ${PROGRAM} --yes < /dev/null > /dev/null" || \
	{ echo -e "[${RED}FAILED${NC}] installation of ${YELLOW}${PROGRAM}${NC}" && exit 1; }
	
	echo -e "[ ${GREEN}OK${NC} ] ${YELLOW}${PROGRAM}${NC} has been successfully installed"
}

Thanks for the summary idea. I just shamelessly ripped it off for my post on split-veracrypt.

For debian-11-minimal, I followed this in order to install and enable sys-corridor

and in addition installed iptables in debian-11-minimal.

Such created NamedDisp sys-corridor works: I can ping both IP addresses and names from it, but still no other qube can’t get online through it. sys-whonix’s connecting to tor stuck at 5%

Any hint appreciated.