Setting minimal Templates for different purposes


thanks for the support here!
I’m setting the minimal templates for some special purposes and need some help.

FirewallVM and NetVM work well. But…

  1. Now I want to make an emailVM with just thunderbird within.
    So I installed thunderbird, thunderbird-qubes, thunar, qubes-core-agent-thunar, but I can not connect to the email-servers. The same in the BankingVM. I installed the needed java, but I can not connect to the server. The same in the "social"VM, There I can not connect to internet via firefox. So the minimal VMs seem all not to have some internet possibilities.

  2. sys-USB seems to work, but I can not connect to the mounted USB device on the new minimal VMs. I get “not authorized to perform operation”. I suppose it has to do with the passwordless root. I don’t want to install passwordless root, but I think, I MUST do it in the VMs, which should get USB connections (because of the usability), isn’t it?

  3. Is it security advantage NOT to install passwordless root, just to manage the VMs via dom0?

Best regards

1 Like

Regarding VMs that are not connecting (email, banking) did you also install qubes-core-agent-networking in the template?


ah, this is just mentioned by the FirewallVM. So every VM, which has connection to the internet, must have qubes-core-agent-networking. Thank you! It works!

So the point 1 is solved!

It’s a great thing with the minimal templates!!

Indeed I had to go through some trial and error before I figured out how to connect minimal VMs. You can also limit the firewall of the emailVM to use only IMAP and POP for the Internet, to increase (slightly) the security of that VM.

Re point #3 most Qubes experts say there’s not much advantage to passwordless root. It’s been discussed in this forum in several posts. I would recommend you still use it anyway if it’s not a hassle. You just need to remember the command in Dom0 to run xterm as root.

The firewall is almost limited and open just for the email server.
The bankingVM can only connect to the banking server.
VaultVM with password manager and documents without networking.

Several years ago I tried to restrict connections for the "social"VM (facebook and so on), but the usability of it sucks.

I think I don’t really need to sudo in the AppVMs. When everything is installed in the template (via dom0), what is needed in the appVMs. I don’t really need sudo. So I think, it’s not an advantage to have passwordless root in that case.

So the point 2 is also solved!

is there any (usable) possibility to get USB mounted without installing passwordless root in the appVMs?

You can mount from dom0 or open a terminal as root - possibilities.
Whether you find them “usable” depends on you.

If you do this a lot, you could have a small script in dom0 to run the
mount for you.

Otherwise install something like usbmount to have USB devices
automagically mounted. You will have to build that for yourself, as it’s
not packages for Debian.

whats about sound? I made a minimalVM for youtube and get no sound. I also can not see the VM in dom0 audioMixer. What do I need for that?

As it seems pulseaudio is installed. So maby there is no qubes-module for that?

#Edit: oh… sorry… pulseaudio-qubes is the thing that I need, isn’t it?

Read this

yes sorry, I somehow overlooked it.
Had conflict with pipewire-pulseaudio and had to install pulseaudio-qubes --allowerasing now it works!

Good to know you worked it out.
Thanks for feeding back. We should look at using that in the documentation,
if its an issue. In the meantime, people can find your help here.