Qubes: Difference between revisions

From Legoktm
(→‎Template VMs: update debian)
 
(7 intermediate revisions by the same user not shown)
Line 4: Line 4:


* DD (km-d11)
* DD (km-d11)
* media (km-f34)
* fpf (km-f37)
** flatpak: handbrake, kdenlive, picard
** flatpak: Signal, Wire, Flatseal, Xournal++
* personal (km-f34)
* dev (km-f37)
** flatpak: Signal, xournalpp, hexchat, runelite, dolphinemu
** flatpak: Element, nheko, Flatseal, Kdenlive
* fopf (km-f34)
* gpg (km-f37)
* school (km-f34)
* dev (km-f33-dev)
* gpg (km-f34)
** no network
** no network
* vault (km-f34-vault)
* vault (km-f37)
* vault-gpg (fedora-37)
** no network
** no network
* sd-kernel-builder (km-d11)
* vault-gpg (fedora-34)
* sd-dev11
** no network
* sd-dev12
* sys-mullvad-vpn (fedora-34)
* sd-ssh (km-f37)
* sys-mullvad-vpn (fedora-37)
** see [https://micahflee.com/2019/11/using-mullvad-in-qubes/ Micah's setup guide]
** see [https://micahflee.com/2019/11/using-mullvad-in-qubes/ Micah's setup guide]
* wm-ssh (km-f37)


== Template VMs ==
== Template VMs ==
* km-d11: fork:
* km-d11: fork:
** (from backports) devscripts git-buildpackage dput-ng
** (from backports) devscripts git-buildpackage dput-ng lintian
** command-not-found gitk git-cola webext-ublock-origin webext-https-everywhere dh-php php-dev lintian-brush dh-buildinfo apache2-dev ack webext-privacy-badger ubuntu-dev-tools pkg-kde-tools dh-python cython3 python3-setuptools neomutt vlc gnome-system-monitor curl php-mbstring php-intl php-sqlite3 php-apcu python3-isort python3-sphinx
** command-not-found gitk git-cola webext-ublock-origin webext-https-everywhere dh-php php-dev dh-buildinfo apache2-dev ack webext-privacy-badger ubuntu-dev-tools pkg-kde-tools dh-python cython3 python3-setuptools neomutt vlc gnome-system-monitor curl php-mbstring php-intl php-sqlite3 php-apcu python3-isort python3-sphinx
* fedora-34: upstream
* fedora-37: upstream
* km-f34: fork:
* km-f37 fork: (outdated)
** enabled rpmfusion
** enabled rpmfusion
*** <code>sudo dnf config-manager --set-enabled rpmfusion-free</code>
*** <code>sudo dnf config-manager --set-enabled rpmfusion-free</code>
*** <code>sudo dnf config-manager --set-enabled rpmfusion-free-updates</code>
*** <code>sudo dnf config-manager --set-enabled rpmfusion-free-updates</code>
** enabled pycharm-community, vscodium
** enabled pycharm-community, vscodium
** fuse-exfat exfat-utils chromium ffmpeg vlc pcsc-tools mozilla-privacy-badger filezilla shotwell youtube-dl libreoffice libgnome-keyring tree ack nano mozilla-https-everywhere mozilla-ublock-origin nextcloud-client-nautilus quassel-client mosh mono-core mono-devel mono-locale-extras mediainfo curl transmission-gtk fish python3 python3.5 python3.6 python3.7 python3.8 python3.9 python3.10 composer php-cli php-mysqli git-cola gitk podman pycharm-community vscodium
** fuse-exfat exfat-utils chromium ffmpeg vlc pcsc-tools mozilla-privacy-badger filezilla shotwell youtube-dl libreoffice libgnome-keyring tree ack nano mozilla-https-everywhere mozilla-ublock-origin nextcloud-client-nautilus quassel-client mosh mono-core mono-devel mono-locale-extras mediainfo curl transmission-gtk fish python3 python3.6 python3.7 python3.8 python3.9 python3.10 composer php-cli php-mysqli git-cola gitk podman pycharm-community codium nano keepassxc qubes-gpg-split pinentry-gtk tokei sqlite jq git-lfs tox poetry php-devel bind-utils gh mtr traceroute httpd-devel devscripts mariadb
** other tweaks:
* km-f34-vault: (fork of minimal)
*** <code>systemctl mask packagekit</code>
** nano keepassxc qubes-gpg-split pinentry-gtk
*** <code>echo "vm.swappiness = 1" | sudo tee systemctl.conf</code>


== Config ==
== Config ==
Line 40: Line 42:
** <code>sys-usb dom0 allow</code>
** <code>sys-usb dom0 allow</code>
* <code>/etc/qubes-rpc/policy/qubes.Gpg</code>
* <code>/etc/qubes-rpc/policy/qubes.Gpg</code>
** <code>DD gpg allow</code>
** <code>dev gpg allow</code>
** <code>dev gpg allow</code>
** <code>personal gpg allow</code>
** <code>fpf gpg allow</code>
* <code>/etc/qubes-rpc/policy/qubes.GpgImportKey</code>
* <code>/etc/qubes-rpc/policy/qubes.GpgImportKey</code>
** <code>DD gpg allow</code>
** <code>dev gpg allow</code>
** <code>dev gpg allow</code>
** <code>personal gpg allow</code>
** <code>fpf gpg allow</code>

<s>Follow https://github.com/Qubes-Community/Contents/blob/master/docs/customization/dpi-scaling.md for getting it to work with my 4k display.</s> Went back to a non-4k display.


== dom0 ==
== dom0 ==
Appearance -> Style -> Adwaita-dark
Appearance -> Style -> Adwaita-dark


Change global copy/paste ([https://forum.qubes-os.org/t/how-to-update-the-copy-paste-key-combination-in-4-1/5056/7 source]):<syntaxhighlight lang="shell-session">
In <code>/etc/qubes/guid.conf</code>:
$ qvm-features dom0 gui-default-secure-copy-sequence 'Mod4-c'
<pre>
$ qvm-features dom0 gui-default-secure-paste-sequence 'Mod4-v'
secure_copy_sequence = "Mod4-c";
secure_paste_sequence = "Mod4-v";
</pre>


</syntaxhighlight>
<code>/usr/local/bin/vault</code>, mapped to ctrl+shift+x

Create <code>/usr/local/bin/vault</code>, mapped to ctrl+shift+x
<pre>
<pre>
#!/bin/sh
#!/bin/sh
Line 66: Line 68:


Redshift, following https://www.bryceguinta.me/install-configure-and-autostart-redshift-on-qubes-40.html, except place the config file at <code>~/redshift.conf</code> so it gets included in dom0 backups and use Settings -> Session and Startup to add the autostart entry.
Redshift, following https://www.bryceguinta.me/install-configure-and-autostart-redshift-on-qubes-40.html, except place the config file at <code>~/redshift.conf</code> so it gets included in dom0 backups and use Settings -> Session and Startup to add the autostart entry.

TODO: Document using the new beta qubes app menu

== Advanced debugging ==
In the grub bootloader you can press "E" on a menu item to edit both the Linux and Xen command lines before booting. Removing "quiet" from Linux will make the boot process verbose and you can see where you get stuck.

Boot a Qubes installer USB, select rescue mode. Select option #1, enter your decryption password. Ignore the error which says "You have no Linux partitions...", it's wrong and [https://github.com/QubesOS/qubes-issues/issues/5609 a known issue].

If you run e.g. <code>fdisk -l</code>, you should see your disks and VMs. You should be able to mount dom0 with e.g. <code>mkdir /mnt/dom0 && mount /dev/qubes_dom0/root /mnt/dom0</code>. To do stuff in dom0, you might <code>chroot /mnt/dom0.</code>

If you need <code>/proc</code>, <code>/sys</code>, etc. inside the chroot, see [https://superuser.com/questions/165116/mount-dev-proc-sys-in-a-chroot-environment#417004 this post] for how to mount them.

Latest revision as of 23:17, 7 March 2023

Note: after restoring from a backup make sure to recreate the templates from the base again to save disk space because of copy-on-write.

VMs

  • DD (km-d11)
  • fpf (km-f37)
    • flatpak: Signal, Wire, Flatseal, Xournal++
  • dev (km-f37)
    • flatpak: Element, nheko, Flatseal, Kdenlive
  • gpg (km-f37)
    • no network
  • vault (km-f37)
  • vault-gpg (fedora-37)
    • no network
  • sd-kernel-builder (km-d11)
  • sd-dev11
  • sd-dev12
  • sd-ssh (km-f37)
  • sys-mullvad-vpn (fedora-37)
  • wm-ssh (km-f37)

Template VMs

  • km-d11: fork:
    • (from backports) devscripts git-buildpackage dput-ng lintian
    • command-not-found gitk git-cola webext-ublock-origin webext-https-everywhere dh-php php-dev dh-buildinfo apache2-dev ack webext-privacy-badger ubuntu-dev-tools pkg-kde-tools dh-python cython3 python3-setuptools neomutt vlc gnome-system-monitor curl php-mbstring php-intl php-sqlite3 php-apcu python3-isort python3-sphinx
  • fedora-37: upstream
  • km-f37 fork: (outdated)
    • enabled rpmfusion
      • sudo dnf config-manager --set-enabled rpmfusion-free
      • sudo dnf config-manager --set-enabled rpmfusion-free-updates
    • enabled pycharm-community, vscodium
    • fuse-exfat exfat-utils chromium ffmpeg vlc pcsc-tools mozilla-privacy-badger filezilla shotwell youtube-dl libreoffice libgnome-keyring tree ack nano mozilla-https-everywhere mozilla-ublock-origin nextcloud-client-nautilus quassel-client mosh mono-core mono-devel mono-locale-extras mediainfo curl transmission-gtk fish python3 python3.6 python3.7 python3.8 python3.9 python3.10 composer php-cli php-mysqli git-cola gitk podman pycharm-community codium nano keepassxc qubes-gpg-split pinentry-gtk tokei sqlite jq git-lfs tox poetry php-devel bind-utils gh mtr traceroute httpd-devel devscripts mariadb
    • other tweaks:
      • systemctl mask packagekit
      • echo "vm.swappiness = 1" | sudo tee systemctl.conf

Config

  • /etc/qubes-rpc/policy/qubes.InputKeyboard
    • sys-usb dom0 ask,default_target=dom0
  • /etc/qubes-rpc/policy/qubes.InputTablet
    • sys-usb dom0 allow
  • /etc/qubes-rpc/policy/qubes.Gpg
    • dev gpg allow
    • fpf gpg allow
  • /etc/qubes-rpc/policy/qubes.GpgImportKey
    • dev gpg allow
    • fpf gpg allow

Follow https://github.com/Qubes-Community/Contents/blob/master/docs/customization/dpi-scaling.md for getting it to work with my 4k display. Went back to a non-4k display.

dom0

Appearance -> Style -> Adwaita-dark

Change global copy/paste (source):

$ qvm-features dom0 gui-default-secure-copy-sequence 'Mod4-c'
$ qvm-features dom0 gui-default-secure-paste-sequence 'Mod4-v'

Create /usr/local/bin/vault, mapped to ctrl+shift+x

#!/bin/sh
exec qvm-run vault keepassxc

Clock format: %a %F %r

Redshift, following https://www.bryceguinta.me/install-configure-and-autostart-redshift-on-qubes-40.html, except place the config file at ~/redshift.conf so it gets included in dom0 backups and use Settings -> Session and Startup to add the autostart entry.

TODO: Document using the new beta qubes app menu

Advanced debugging

In the grub bootloader you can press "E" on a menu item to edit both the Linux and Xen command lines before booting. Removing "quiet" from Linux will make the boot process verbose and you can see where you get stuck.

Boot a Qubes installer USB, select rescue mode. Select option #1, enter your decryption password. Ignore the error which says "You have no Linux partitions...", it's wrong and a known issue.

If you run e.g. fdisk -l, you should see your disks and VMs. You should be able to mount dom0 with e.g. mkdir /mnt/dom0 && mount /dev/qubes_dom0/root /mnt/dom0. To do stuff in dom0, you might chroot /mnt/dom0.

If you need /proc, /sys, etc. inside the chroot, see this post for how to mount them.