Thats a plan! Will try this out!
Looks like there’s a config on every qube, where you can setup the source of updates separately. Always was thinking, you do that globally (with the update qube in qubes settings [which is sys-whonix on my setup])
Two cents advice: start with one, and repeat one you’ve got the process right 
There are few things more annoying in my experience than troubleshooting a process that didn’t go right n times in a row instead of only once!
Yes - I’ve been tweaking the Fedora config to get those updates working.
Almost invariably the issue arises with the “updates” repository, and I
think that it relates to incorrect mirroring of the updates repo across
the mirrors. If I clear the cache (dnf clean all), and retry later,
updates usually work.
Whether you use cacher is determined by an entry in
/etc/qubes/policy.d/30-user.policy
The entry is this:
qubes.Updates.Proxy * @type:TemplateVM @default allow target=cacher
You can override this by inserting a line ABOVE this one, because policy
is applied to the first match.
qubes.Updates.Proxy * fedora-37 @default allow target=sys-net
This will mean that fedora-37 uses sys-net for updates, while all other
Templates use cacher.
Make any other changes you want.
(If you want to stop using cacher all together you can just delete the
cacher line, and then policy will revert to the default in 90-default.policy
using sys-net.)
When you set up cacher, repository definitions were rewritten to allow
for use of HTTPS repositories.
If you want to use something other than cacher you need to revert these
changes. There is a salt file in /srv/salt/cacher to help you do this.
You apply it like this:
sudo qubesctl --skip-dom0 --targets=TARGET1,TARGET2,TARGET3 state.apply cacher.restore_templates
This file will revert the changes in Debian based, Fedora and Arch templates.
If you inspect the restore_templates.sls you should see that it
replaces patterns in the repository definitions.
The process is (should be) relatively straightforward.
I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.
4 Likes
I have installed the @unman software successfully and proceeded to install the MullvadVPN package. It created two Qubes (template-mullvad and MullvadVPN). I received no errors during installation. It says in the instructions I should look for a menu entry called “Setup Mullvad VPN” in the Qubes Menu. I checked both those Qubes in the menu and none had an entry for “Setup Mullvad VPN” (and yes I refreshed to make sure).
What has gone wrong?
bump… any help on this?
@unman Thanks for your work on this 
Would you be interested in implementing a salt package to install BusKill? The BusKill installation process requires some changes to dom0 and sys-usb.
1 Like
BusKill looks fantastic
1 Like
Mullvas vpn package is missing fails to download
Indeed, the good folk at Mullvad were kind enough to send me updated
credentials, and I have built an updated package for the new version, and the
browser.
Unfortunately, for reasons, I have not yet been able to upload a new signed
package.
I dont share your enthusiasm, but others like it, and it should be a straightforward
package.
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
1 Like
I switched to the OpenVPN tool since Mullvad is not currently available. With the default sys-vpn that the Tool creates, I have no problem getting connected to a Mullvad OpenVPN.
However, if i create a new sys-vpn2 based on the same template (and also give networking access) following the exact same process that VM fails to connect to the VPN also no pop-ups or notifications saying its even trying.
The only way I can get a new sys-vpn is to clone the original. That works fine.
When creating a new sys-vpn AppVM based on a template is some additional things you need to do to get it to work?
Also these sys-vpn takes 3+ minutes to shutdown or reboot is that normal?
unman,
Thanks loads for your contribution to help users with qubes setups.
I used your system for 4.1 (pi-hole, sys-vpn, cacher) but now with 4.2 things don’t seem to install. Maybe the switch to nftables and newer zen hypevisor difference? I would rather not go back to 4.1.
Will you be updating your templates to use 4.2 in the near future?
Thanks for all the work and help.
4 Likes
cool work, as a new linux user the biggest hurdle by far is all the terminal work. Luckily i already have a foundation under me of HTML/CSS etc. so using script and learning it isnt an automatic mind fk. However for most people it will be, the biggest hurdle to get a lot more people on linux is making ALL the normal day to day functions people may want to do easily done through a GUI. I know the linux community likely isn’t as focused on that as using terminal etc. is part of the networking/management fun of linux. Hopefully one day linux will be the gamer OS of choice (thanks for steam and proton that reality is coming faster than it was) but even steam OS takes more than a lot of normal people are willing to invest into an OS even just for games. Forums are full of people who switched to windows devices because they “couldnt figure it out” and thats only a small handfull of stuff to learn in a very niche use case. When it comes to a full everyday use linux OS the amount of stuff is quite daunting. I’m not sure if a full GUI OS would be something that would be suitable for Qubes or not as i don’t know how much vulnerability is added by all the extra code/modifications for the interfaces and how it would effect the attack surface but it sure would be nice!
I haven’t announced it yet, but the repo for 4.2 is well populated
already. Perhaps this is the announcement.
I’ll post something more detailed once I’ve finished the Mullvad
packages.
3 Likes
Great work as always, @unman
I’m working out of the new 4.2 repo and all debian-based templates work when using the cacher salt configs.
Fedora templates, however, issue Curl errors (5), (500), and (56). I think somewhere I read you suggested changing the repository metalinks or alternating to the baseurls instead? I can’t find the source of that post now.
EDIT:
Found this in an old email list exchange, for anyone looking to troubleshoot apt-cacher-ng:
Yes, apt-cacher-ng works for Fedora updates.
You have to make some changes -
First, on the client side, comment out “metalink” lines, and uncomment
“baseurl” lines. This is because the metalink will keep loading new
https:// repositories, and apt-cacher-ng cant cache those requests,
as you know.
Second, watch the caches in /var/cache/apt-cacher-ng , and add any new
ones to the fedora_mirrors file - this is because that file doesn’t
contain all Fedora repositories.After a while you will have almost all your Fedora updates cached, and
will see the speed increase.
I’m finally announcing that tasks are available for 4.2.
You can read details here
These are packages that you can install which will create and configure
templates and qubes for specific purposes. All are based on debian-12
templates, usually the minimal template.
There’s a CLI and the same ugly GUI. I recommend running the GUI because
these tools are supposed to take away the reliance on command line use
in dom0. (It also has the advantage of giving some feedback while the
templates are installed and configured.)
What’s here?
Among the task packages so far:
- cacher - a caching proxy. If you clone a template this will cache the downloaded packages on updates, to reduce the bandwidth/time pain of having multiple templates trying to grab the same packages.
- pihole - installs and configures a pihole qube, which helps to block advertisements and internet trackers
- syncthing - a syncthing qube, and a syncthing service. You can syncthing files between qubes and/or use syncthing with external machines.
- multimedia - creates a
mediaqube which is intended to store media files, and an associated disposablemultimediaqube to play the files. So you can (relatively) safely download stuff and store it inmedia, while viewing or using in the disposable. - Mullvad - thanks to the good folk at Mullvad, creates a sys-mullvad qube where you can configure the VPN for use in attached qubes. Also creates a disposable template so you can use disposables with the Mullvad browser, and/or use a VPN just in that disposable.
- Proton VPN - a qube to use Proton VPN
- sys-vpn - a service qube to help configure an OpenVPN connection for use by attached qubes.
- reader - creates a template with software aimed at terminal users, like conversion to plain text, edbrowse, and orca.
- mirage-firewall - installs the latest release of the unikernel mirage firewall, warts and all.
- split-git
- split-gpg
Source?
The source is on GitHub.
For the most part these packages install and run salt states. The states are deliberately simple to read so almost any one will be able to understand what they do.
Why should I trust this?
Dont. At least, not without some careful thought.
All the packages are signed with my Qubes signing key.
All the code is available, and any one can review it.
If you want to check what a particular package really does.
- Download the package without installing it.
rpm2cpio PACKAGE_NAME |cpio -idwill extract the directories and files from the package, so you can inspect them.rpm -qi --scripts PACKAGE_NAMEwill show you exactly what scripts will be run on installation.
Suggestions, changes, or improvements?
Post in this thread with suggestions for new packages or changes to the existing ones.
Most of these packages have been created to other user specifications.
Bugs?
Please dont post them here.
Open a new thread with details of the problem. It’s easier to see the problem, and other users will be able to find the problem, and (I hope), the answer, more easily.
If the formatting here is off, can someone fix it for me?
unman
8 Likes
Should have included obligatory sig.
Wishing now that your Qubes Tasks could somehow merge with qusal
After all the conversations on backing up one’s system, I’ve finally understood the necessity of salting all my qubes. Qubes Tasks is a great step toward understanding that.
1 Like