Qubes: Difference between revisions

From Legoktm
(update; add debugging tips on rescue with help from eaon)
Line 4: Line 4:


* DD (km-d11)
* DD (km-d11)
* media (km-f34)
* fpf (km-f37)
** flatpak: handbrake, kdenlive, picard
** flatpak: Signal, Wire, Flatseal, Xournal++
* personal (km-f34)
* dev (km-f37)
** flatpak: Signal, xournalpp, hexchat, runelite, dolphinemu
** flatpak: Element, nheko, Flatseal, Kdenlive
* fpf (km-f34)
* gpg (km-f37)
** flatpak: Signal, Wire
* school (km-f34)
* dev (km-f34)
** flatpak: Element
* gpg (km-f34)
** no network
** no network
* vault (km-f34)
* vault (km-f37)
* vault-gpg (fedora-37)
** no network
** no network
* sd-kernel-builder (km-d11)
* vault-gpg (fedora-34)
* sd-dev11
** no network
* sd-dev12
* sys-mullvad-vpn (fedora-34)
* sd-ssh (km-f37)
* sys-mullvad-vpn (fedora-37)
** see [https://micahflee.com/2019/11/using-mullvad-in-qubes/ Micah's setup guide]
** see [https://micahflee.com/2019/11/using-mullvad-in-qubes/ Micah's setup guide]
* wm-ssh (km-f37)


== Template VMs ==
== Template VMs ==
Line 26: Line 25:
** (from backports) devscripts git-buildpackage dput-ng lintian
** (from backports) devscripts git-buildpackage dput-ng lintian
** command-not-found gitk git-cola webext-ublock-origin webext-https-everywhere dh-php php-dev dh-buildinfo apache2-dev ack webext-privacy-badger ubuntu-dev-tools pkg-kde-tools dh-python cython3 python3-setuptools neomutt vlc gnome-system-monitor curl php-mbstring php-intl php-sqlite3 php-apcu python3-isort python3-sphinx
** command-not-found gitk git-cola webext-ublock-origin webext-https-everywhere dh-php php-dev dh-buildinfo apache2-dev ack webext-privacy-badger ubuntu-dev-tools pkg-kde-tools dh-python cython3 python3-setuptools neomutt vlc gnome-system-monitor curl php-mbstring php-intl php-sqlite3 php-apcu python3-isort python3-sphinx
* fedora-34: upstream
* fedora-37: upstream
* km-f34: fork:
* km-f37 fork: (outdated)
** enabled rpmfusion
** enabled rpmfusion
*** <code>sudo dnf config-manager --set-enabled rpmfusion-free</code>
*** <code>sudo dnf config-manager --set-enabled rpmfusion-free</code>
Line 33: Line 32:
** enabled pycharm-community, vscodium
** enabled pycharm-community, vscodium
** fuse-exfat exfat-utils chromium ffmpeg vlc pcsc-tools mozilla-privacy-badger filezilla shotwell youtube-dl libreoffice libgnome-keyring tree ack nano mozilla-https-everywhere mozilla-ublock-origin nextcloud-client-nautilus quassel-client mosh mono-core mono-devel mono-locale-extras mediainfo curl transmission-gtk fish python3 python3.6 python3.7 python3.8 python3.9 python3.10 composer php-cli php-mysqli git-cola gitk podman pycharm-community codium nano keepassxc qubes-gpg-split pinentry-gtk tokei sqlite jq git-lfs tox poetry php-devel bind-utils gh mtr traceroute httpd-devel devscripts mariadb
** fuse-exfat exfat-utils chromium ffmpeg vlc pcsc-tools mozilla-privacy-badger filezilla shotwell youtube-dl libreoffice libgnome-keyring tree ack nano mozilla-https-everywhere mozilla-ublock-origin nextcloud-client-nautilus quassel-client mosh mono-core mono-devel mono-locale-extras mediainfo curl transmission-gtk fish python3 python3.6 python3.7 python3.8 python3.9 python3.10 composer php-cli php-mysqli git-cola gitk podman pycharm-community codium nano keepassxc qubes-gpg-split pinentry-gtk tokei sqlite jq git-lfs tox poetry php-devel bind-utils gh mtr traceroute httpd-devel devscripts mariadb
** other tweaks:
*** <code>systemctl mask packagekit</code>
*** <code>echo "vm.swappiness = 1" | sudo tee systemctl.conf</code>


== Config ==
== Config ==
Line 40: Line 42:
** <code>sys-usb dom0 allow</code>
** <code>sys-usb dom0 allow</code>
* <code>/etc/qubes-rpc/policy/qubes.Gpg</code>
* <code>/etc/qubes-rpc/policy/qubes.Gpg</code>
** <code>DD gpg allow</code>
** <code>dev gpg allow</code>
** <code>dev gpg allow</code>
** <code>fpf gpg allow</code>
** <code>fpf gpg allow</code>
** <code>personal gpg allow</code>
* <code>/etc/qubes-rpc/policy/qubes.GpgImportKey</code>
* <code>/etc/qubes-rpc/policy/qubes.GpgImportKey</code>
** <code>DD gpg allow</code>
** <code>dev gpg allow</code>
** <code>dev gpg allow</code>
** <code>fpf gpg allow</code>
** <code>fpf gpg allow</code>
** <code>personal gpg allow</code>


<s>Follow https://github.com/Qubes-Community/Contents/blob/master/docs/customization/dpi-scaling.md for getting it to work with my 4k display.</s> Went back to a non-4k display.
<s>Follow https://github.com/Qubes-Community/Contents/blob/master/docs/customization/dpi-scaling.md for getting it to work with my 4k display.</s> Went back to a non-4k display.
Line 55: Line 53:
Appearance -> Style -> Adwaita-dark
Appearance -> Style -> Adwaita-dark


Change global copy/paste ([https://forum.qubes-os.org/t/how-to-update-the-copy-paste-key-combination-in-4-1/5056/7 source]):<syntaxhighlight lang="shell-session">
In <code>/etc/qubes/guid.conf</code>:
<pre>
secure_copy_sequence = "Mod4-c";
secure_paste_sequence = "Mod4-v";
</pre>

In Qubes 4.1 that no longer works and you need ([https://forum.qubes-os.org/t/how-to-update-the-copy-paste-key-combination-in-4-1/5056/7 source]):<syntaxhighlight lang="shell-session">
$ qvm-features dom0 gui-default-secure-copy-sequence 'Mod4-c'
$ qvm-features dom0 gui-default-secure-copy-sequence 'Mod4-c'
$ qvm-features dom0 gui-default-secure-paste-sequence 'Mod4-v'
$ qvm-features dom0 gui-default-secure-paste-sequence 'Mod4-v'


</syntaxhighlight>
</syntaxhighlight>



Create <code>/usr/local/bin/vault</code>, mapped to ctrl+shift+x
Create <code>/usr/local/bin/vault</code>, mapped to ctrl+shift+x
Line 77: Line 68:


Redshift, following https://www.bryceguinta.me/install-configure-and-autostart-redshift-on-qubes-40.html, except place the config file at <code>~/redshift.conf</code> so it gets included in dom0 backups and use Settings -> Session and Startup to add the autostart entry.
Redshift, following https://www.bryceguinta.me/install-configure-and-autostart-redshift-on-qubes-40.html, except place the config file at <code>~/redshift.conf</code> so it gets included in dom0 backups and use Settings -> Session and Startup to add the autostart entry.

TODO: Document using the new beta qubes app menu

== Advanced debugging ==
Boot a Qubes installer USB, select rescue mode. Select option #1, enter your decryption password. Ignore the error which says "You have no Linux partitions...", it's wrong and [https://github.com/QubesOS/qubes-issues/issues/5609 a known issue].

If you run e.g. <code>fdisk -l</code>, you should see your disks and VMs. You should be able to mount dom0 with e.g. <code>mkdir /mnt/dom0 && mount /dev/qubes_dom0/root /mnt/dom0</code>. To do stuff in dom0, you might <code>chroot /mnt/dom0.</code>

If you need <code>/proc</code>, <code>/sys</code>, etc. inside the chroot, see [https://superuser.com/questions/165116/mount-dev-proc-sys-in-a-chroot-environment#417004 this post] for how to mount them.

Revision as of 21:30, 7 March 2023

Note: after restoring from a backup make sure to recreate the templates from the base again to save disk space because of copy-on-write.

VMs

  • DD (km-d11)
  • fpf (km-f37)
    • flatpak: Signal, Wire, Flatseal, Xournal++
  • dev (km-f37)
    • flatpak: Element, nheko, Flatseal, Kdenlive
  • gpg (km-f37)
    • no network
  • vault (km-f37)
  • vault-gpg (fedora-37)
    • no network
  • sd-kernel-builder (km-d11)
  • sd-dev11
  • sd-dev12
  • sd-ssh (km-f37)
  • sys-mullvad-vpn (fedora-37)
  • wm-ssh (km-f37)

Template VMs

  • km-d11: fork:
    • (from backports) devscripts git-buildpackage dput-ng lintian
    • command-not-found gitk git-cola webext-ublock-origin webext-https-everywhere dh-php php-dev dh-buildinfo apache2-dev ack webext-privacy-badger ubuntu-dev-tools pkg-kde-tools dh-python cython3 python3-setuptools neomutt vlc gnome-system-monitor curl php-mbstring php-intl php-sqlite3 php-apcu python3-isort python3-sphinx
  • fedora-37: upstream
  • km-f37 fork: (outdated)
    • enabled rpmfusion
      • sudo dnf config-manager --set-enabled rpmfusion-free
      • sudo dnf config-manager --set-enabled rpmfusion-free-updates
    • enabled pycharm-community, vscodium
    • fuse-exfat exfat-utils chromium ffmpeg vlc pcsc-tools mozilla-privacy-badger filezilla shotwell youtube-dl libreoffice libgnome-keyring tree ack nano mozilla-https-everywhere mozilla-ublock-origin nextcloud-client-nautilus quassel-client mosh mono-core mono-devel mono-locale-extras mediainfo curl transmission-gtk fish python3 python3.6 python3.7 python3.8 python3.9 python3.10 composer php-cli php-mysqli git-cola gitk podman pycharm-community codium nano keepassxc qubes-gpg-split pinentry-gtk tokei sqlite jq git-lfs tox poetry php-devel bind-utils gh mtr traceroute httpd-devel devscripts mariadb
    • other tweaks:
      • systemctl mask packagekit
      • echo "vm.swappiness = 1" | sudo tee systemctl.conf

Config

  • /etc/qubes-rpc/policy/qubes.InputKeyboard
    • sys-usb dom0 ask,default_target=dom0
  • /etc/qubes-rpc/policy/qubes.InputTablet
    • sys-usb dom0 allow
  • /etc/qubes-rpc/policy/qubes.Gpg
    • dev gpg allow
    • fpf gpg allow
  • /etc/qubes-rpc/policy/qubes.GpgImportKey
    • dev gpg allow
    • fpf gpg allow

Follow https://github.com/Qubes-Community/Contents/blob/master/docs/customization/dpi-scaling.md for getting it to work with my 4k display. Went back to a non-4k display.

dom0

Appearance -> Style -> Adwaita-dark

Change global copy/paste (source):

$ qvm-features dom0 gui-default-secure-copy-sequence 'Mod4-c'
$ qvm-features dom0 gui-default-secure-paste-sequence 'Mod4-v'

Create /usr/local/bin/vault, mapped to ctrl+shift+x

#!/bin/sh
exec qvm-run vault keepassxc

Clock format: %a %F %r

Redshift, following https://www.bryceguinta.me/install-configure-and-autostart-redshift-on-qubes-40.html, except place the config file at ~/redshift.conf so it gets included in dom0 backups and use Settings -> Session and Startup to add the autostart entry.

TODO: Document using the new beta qubes app menu

Advanced debugging

Boot a Qubes installer USB, select rescue mode. Select option #1, enter your decryption password. Ignore the error which says "You have no Linux partitions...", it's wrong and a known issue.

If you run e.g. fdisk -l, you should see your disks and VMs. You should be able to mount dom0 with e.g. mkdir /mnt/dom0 && mount /dev/qubes_dom0/root /mnt/dom0. To do stuff in dom0, you might chroot /mnt/dom0.

If you need /proc, /sys, etc. inside the chroot, see this post for how to mount them.