Qubes Salt Beginner's Guide

I know that yesterday after installing 4.2, I was able to create the user_pillar, user_salt and user_formula directories with that command.

I did have to go into /srv and change ownership of the directories (recursively), then I had to soft link /srv/user_pillar/init.top into /srv/pillar/… (and I needed to do sudo su to be able to do that). If one of those is the bug in question, then there’s your answer.

1 Like

Wow. The qusal project is simply amazing to read and understand salt recipes. Will test tomorrow qusal/salt/qubes-builder/README.md at main · ben-grande/qusal · GitHub

Do not skip dom0 requirements at qusal/docs/BOOTSTRAP.md at main · ben-grande/qusal · GitHub


Trying to help those whostruggle with SaltStack, and have more Salt code and less visual/bash step-by-steps in the forum, I have just created an MIT License repo for the community.

It’s a didactic small and simple config files and step-by-step commands for a VM for video playback with mpv, fzf, smplayer, and vlc inspired by this forum topic.

The repo:

If it fits well, please update in the initial message.


Thanks a lot! I made an appendix and added a link to your repository. By the way, this topic is a wiki so anyone should feel free to edit the first post :slight_smile:

1 Like

I’m trying to use this but keep getting errors because salt/dotfiles is empty. I see that directory is a git submodule and I think it is empty because I dont have access to the git repo. Do you know where I can get default files for this?

Agreed. It is a work of art and the dev is quick to respond. Most comprehensive yet and most states work as intended out of box.

The project needs testing and bug report. Did open a lot and hope others will do the same.

hello everyone,

I’m kinde new there, and can’t proceed very far.

I’m stuck on the commands using ‘qvm-appmenus’ that ‘fail with error code: 1’

The error occurs in every codes of ‘disconnected’ ‘messaging’ and ‘vault’ the vm–create-qube part works but fails for the vm–update-app-menu function .

when I run for example ‘qvm-appmenus --update salty’ directly in terminal I have no errors

If any one know where does the problem come from thanks in advance

best regards ,

1 Like

A very good example at The Guardian:

When security matters: working with Qubes OS at the Guardian When security matters: working with Qubes OS at the Guardian | | The Guardian


Hi, could you run the salt state again, with --show-output option and copy the output?

I remember having an error while trying to remove the following line:

{% set gui_user = salt['cmd.shell']('groupmems --list --group qubes') %}
1 Like

Hi, I’ve figured it out;

I’m on Qubes 4.2, don’t know if that make a difference but changed the syntax of the code; I write present directly as said by qubes doc and dont repeat the label tag, don’t know if it’s just for me but now it works, thanks;

{% if grains['id'] == 'dom0' %}

{% set gui_user = salt['cmd.shell']('groupmems --list --group qubes') %}

    - name: messaging
    - template: debian-12
    - label: yellow
    - features:
      - set:
        - menu-items: org.telegram.desktop.desktop org.gnome.Nautilus.desktop

    - name: qvm-appmenus --update messaging
    - runas: {{ gui_user }}
    - require:
      - qvm: messaging--create-qube

{% elif grains['id'] == 'debian-12' %}

    - pkgs:
      - telegram-desktop

{% endif %}

That’s interesting. As I understand it, the state configuration using the state command qvm.vm,

    - name: messaging
    - present:
      - template: debian-12
      - label: yellow
    - prefs:
      - label: yellow
    - features:
      - set:
        - menu-items: org.telegram.desktop.desktop org.gnome.Nautilus.desktop

is equivalent to using the qvm.present, qvm.prefs and qvm.features separately:

    - name: messaging
    - template: debian-12
    - label: yellow

    - name: messaging
    - label: yellow

    - name: messaging
    - set:
      - menu-items: org.telegram.desktop.desktop org.gnome.Nautilus.desktop

Maybe qvm.prefs or qvm.features is causing the issue.

Edit: It seems that since commit 8ed18dc to qubes-desktop-linux-common, the issue #8494 is fixed and a call to qvm-appmenus is not longer necessary to refresh the list of applications after changing it with qvm.features. In this case, the parts

{% set gui_user = salt['cmd.shell']('groupmems --list --group qubes') %}


    - name: qvm-appmenus --update name-of-qube
    - runas: {{ gui_user }}

can be removed from all the Salt configuration files.

Has anyone tested whether the list of applications is refreshed when omitting those parts? If so, I’ll update the guide.

I just tried this state file:

    - name: test-appmenu
    - present:
      - template: debian-12-xfce
      - label: red
    - features:
      - set:
        - menu-items: org.xfce.mousepad-settings.desktop xarchiver.desktop

And the appmenu is refreshed (even when changing the menu-items list) so I need to update my salt states too :slight_smile:

EDIT: I think this guide is much better with this tip, thanks! Please check if I removed too much code, I hope not.

1 Like

Many thanks!