Reproducible, automatic qube installations via shell-scripting

I would like to automate template and app qube (re)installations by using shell-scripts.

My first question:
Is dom0 the appropriate place for storing the script files?

I am asking, as docs warn about copying any files to dom0:

Copying anything into dom0 is not advised, since doing so can compromise the security of your Qubes system.

Some existent, lengthy scripts would need to be copied over to dom0.

Second question:
Does the docs’ quote implicate a warning about possible text encoding exploits, when passiong IO to dom0? Or does qrexec auto-sanitize characters, so there is no worry.

Is there anythong other to concern? The script content is safe (to best of my knowledge), as written by myself.

debug the script carefully, then yes

afaik, no
wait a second, copy file to dom0 use qvm-run --pass-io not qrexec

where you written it, by what, etc depend on thread model (how often you’re behind targeted)

It’s not done automatically, unless you’re using qvm-run --pass-io --filter-escape-chars --no-colour-output to filter the incoming byte stream.

qvm-run is a wrapper around qrexec-client.

1 Like