Just a quick note that you could instead download the key in a disposable, then copy/paste it into the template, so curl does not have to be installed in the template itself.
2 Likes
In my current automated script I install curl / wget download the apt key and remove curl / wget afterwards.
And if someone would ask me to be as picky as possible, once assured about the authenticity of the content of the key whenever that’s possible (in an online qube, of course), after that I’d copy the content to a new file in an offline qube over qrexec, saving it as a key, and then would copy the key from there to a template in order to import it.
I do not know where you have read that I argue against adw’s suggestion. I appreciated his contribution already with a 
.
Creating a dedicated displ. curl / wget AppVM for apt-key downloads could also be a solution but these are to early to discuss here in details.
First, I would like to fill the table with examples. Afterwards we can fine tune and discuss some improvements and options to get things done… more efficiently or more secure.
1 Like
Well, i could answer the same way: I do not know where you have read that I wrote that you argued against adw’s suggestion. But i won’t.
Thanks for the rest of your post.
I guess, I found a structure that works. The hidden summary allows to collapse for better search and browsing and the details will only be shown when you click on the arrow.
Any missing attributes?
Hey I liked how you utilized those! Keeps it tidy but also extensible in its content.
1 Like
@adw Who can modify the wiki? Only me and the mods?
Can we open it to other minimal template users to keep it vital (add new programs, improve, correct, verify …)?
@tanky0u do you have the the minimal configuration for a Monero wallet? If yes, please share / add to the wiki. Thank you
Hmm… Not yet. But that would be a good addition to the wiki.
I did a quick test with:
qubes-core-agent-networking
qubes-core-agent-nautilus
nautilus
zenity
but this was not enough.
I found a lot about the wallet isolation but nothing on a minimal Debian setup.
Let me know when you have a working minimal template (maybe good to start with a non-isolated approach).
1 Like
should --no-install-recommends be advised during installation of packages?
1 Like
Yes, only the main dependencies are installed which is something you would like to do with minimal templates.
If you want to reduce (and customize) the terminal output you can add some additional commands and options. Currently, I am using this for my automated minimal template script:
# reduce terminal outputs
DEBIAN_FRONTEND=noninteractive \
apt-get \
-o Dpkg::Options::=--force-confold \
-o Dpkg::Options::=--force-confdef \
-y --allow-downgrades --allow-remove-essential --allow-change-held-packages
qvm-apt-install () # (${PROGRAM} is local; ${1} is the template name)
{
qvm-run --no-gui --pass-io --quiet --user root ${1} \
"apt install --no-install-recommends ${PROGRAM} --yes < /dev/null > /dev/null" || \
{ echo -e "[${RED}FAILED${NC}] installation of ${YELLOW}${PROGRAM}${NC}" && exit 1; }
echo -e "[ ${GREEN}OK${NC} ] ${YELLOW}${PROGRAM}${NC} has been successfully installed"
}
Thanks for the summary idea. I just shamelessly ripped it off for my post on split-veracrypt.
For debian-11-minimal, I followed this in order to install and enable sys-corridor
and in addition installed iptables in debian-11-minimal.
Such created NamedDisp sys-corridor works: I can ping both IP addresses and names from it, but still no other qube can’t get online through it. sys-whonix’s connecting to tor stuck at 5%
Any hint appreciated.
@whoami
please add to KeePassXC (with Yubikey) you will need the: xserver-xorg-input-libinput package if using yubikey static password.
BTW, I didn’t need to install any packages you have mentioned (policyket-1 and libblockdev-crypto2), for using yubikey challenge response, but needed the xserver-xorg-input-libinput package for static password.
Hope this will help somebody that using yubikey static password
1 Like
Thanks for the feedback! I will update the notes (I cannot check / verify the static password packages on my side)
Interesting, I recreated the templateVM and tested the KeePassXC appVM with Challenger Response. My tests confirm the need of policykit-1 but no need for libblockdev-crypto2. Could you please double check on your installation?
Btw, do you have split-ssh with KeePassXC? If yes, I would appreciate some support to get this issue SSH client with KeePassXC based on a minimal Debian template fixed.