Qubes-Community-Content/docs/user-setups/taradiddles/README.md

User setup / @taradiddles
=========================

Hardware
--------

Lenovo Thinkpad T450s


TemplateVMs and qubes
---------------------

Philosophy: use a few custom templates rather than a large one. Pro: minimize attack surface. Cons: more work to set up, and more time spent updating (for the latter, setting up a caching proxy in your LAN or [even in a qube](https://github.com/rustybird/qubes-updates-cache) will speed up things).

### TemplateVM 'fedora-minimal'

Custom minimal template for:

- qube 'sys-firewall'
- qube 'sys-net'
- qube 'vault': not networked; used for keepassxc (password manager) and [split gpg](https://www.qubes-os.org/doc/split-gpg/)

### TemplateVM 'fedora-medium' (default template)

Custom template with libreoffice, evolution, ...

- qube 'work': firewalled, ssh only to known hosts and to mail server; used for emails/office work, storing non confidential documents, and terminals (with [tmux](https://en.wikipedia.org/wiki/Tmux)).
- qube 'banking': firewalled, https only to know hosts; used only for e-banking
- qube 'private': not networked; for opening and storing private/personal documents
- qube 'sys-usb': firewalled, only LAN allowed (required for storing large android backups to a NFS share).

### TemplateVM 'fedora-heavy'

Larger custom template with a lot more apps, some from non-fedora repos (rpmfusion, ...)

- qube 'untrusted': firewalled, only a few IPs allowed (eg. own cloud/seafile server, ...); mainly used for managing personal pictures and opening multimedia files and content that is more or less trusted. 
- (named) dispVM 'dispBrowser': for casual browsing. Customized firefox profile with privacy extensions and a custom `user.js` file (from [here](https://github.com/arkenfox/user.js))
- dispVMs: used for opening content downloaded from unknown/dodgy sources as well as browsing sites that won't work with the restricted firefox profile of 'dispBrowser' above.

### TemplateVM 'fedora-print'

A custom template with third-party printing drivers

- (named) dispVM 'print': firewalled, access only to remote printer/scanner

### TemplateVM 'debian-11-signal'

A custom template with `signal-desktop` [installed](https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/signal.md) in a minimal debian-11 template.

- dispVM 'signal'


### Other qubes

- a few Windows 10 qubes without network for CAD/3D drawing, programing controllers with a Windows-only toolkit, ... ; 
- a dedicated qube for GIS work
- ...


DOM0 customization
------------------

### Xterm

Open xterm instead of xfce4-terminal: in `/etc/xdg/xfce4/helpers.rc`, set

~~~
TerminalEmulator=xterm
~~~

(Xresources for xterm are in `$HOME/.Xresources`)


### Power management

- install and configure `tlp` in dom0
- add `workqueue.power_efficient` to `GRUB_CMD_LINE` in `/etc/default/grub`


### Productivity tweaks

Define application shortcuts with Qubes Menu -> System Tools -> Keyboard -> Application Shortcuts; for instance:

- ctrl-alt C: open a calculator in qube untrusted ; shortcut: `qvm-run -q -a untrusted galculator`
- ctrl-alt X: open a popup windows to open xterm in a given qube (script [here](https://github.com/taradiddles/qubes-os/blob/master/popup-appmenu-r4), screenshot [there](https://github.com/taradiddles/qubes-os/blob/master/popup-appmenu.screenshot.jpg)). Shortcut: `popup-appmenu xterm`.
- ctrl-alt F: ditto, but with firefox
- ctrl-alt K: open keepassxc in qube vault; shortcut: `qvm-run -q -a vault keepassxc`


Backups
-------

`qvm-backup` is horribly slow and can't be used on a regular basis to backup qubes with large amounts of data. So use tasket's excellent [wyng](https://github.com/tasket/wyng-backup) backup tool.

Setup (fully automated with scripts):

- in a dedicated trusted qube based on fedora-minimal, mount a nfs share which hosts a large (ie. 500GB) file with a LUKS volume and `losetup` that file
- attach the newly created loop device to dom0
- in dom0, attach the newly create loop device to dom0, open the LUKS volume in the trusted qubes and mount its underlying fs
- in dom0, run `wyng`, backup (rsync) home dir + various config files, etc.
- unmount, close luks, detach, shutdown trusted qube
add user-setups 2018-05-07 08:36:42 -04:00			`User setup / @taradiddles`
			`=========================`

			`Hardware`
			`--------`

			`Lenovo Thinkpad T450s`


update for current setup 2022-04-29 01:48:42 -04:00			`TemplateVMs and qubes`
			`---------------------`
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			`Philosophy: use a few custom templates rather than a large one. Pro: minimize attack surface. Cons: more work to set up, and more time spent updating (for the latter, setting up a caching proxy in your LAN or [even in a qube](https://github.com/rustybird/qubes-updates-cache) will speed up things).`
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			`### TemplateVM 'fedora-minimal'`
add user-setups 2018-05-07 08:36:42 -04:00
			`Custom minimal template for:`

update for current setup 2022-04-29 01:48:42 -04:00			`- qube 'sys-firewall'`
			`- qube 'sys-net'`
			`- qube 'vault': not networked; used for keepassxc (password manager) and [split gpg](https://www.qubes-os.org/doc/split-gpg/)`
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			`### TemplateVM 'fedora-medium' (default template)`
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			`Custom template with libreoffice, evolution, ...`
fix list formatting 2018-05-07 08:39:41 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			`- qube 'work': firewalled, ssh only to known hosts and to mail server; used for emails/office work, storing non confidential documents, and terminals (with [tmux](https://en.wikipedia.org/wiki/Tmux)).`
			`- qube 'banking': firewalled, https only to know hosts; used only for e-banking`
			`- qube 'private': not networked; for opening and storing private/personal documents`
			`- qube 'sys-usb': firewalled, only LAN allowed (required for storing large android backups to a NFS share).`
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			`### TemplateVM 'fedora-heavy'`
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			`Larger custom template with a lot more apps, some from non-fedora repos (rpmfusion, ...)`
fix list formatting 2018-05-07 08:39:41 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			`- qube 'untrusted': firewalled, only a few IPs allowed (eg. own cloud/seafile server, ...); mainly used for managing personal pictures and opening multimedia files and content that is more or less trusted.`
			- (named) dispVM 'dispBrowser': for casual browsing. Customized firefox profile with privacy extensions and a custom `user.js` file (from [here](https://github.com/arkenfox/user.js))
			`- dispVMs: used for opening content downloaded from unknown/dodgy sources as well as browsing sites that won't work with the restricted firefox profile of 'dispBrowser' above.`
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			`### TemplateVM 'fedora-print'`
sync with personal doc 2018-09-26 12:35:31 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			`A custom template with third-party printing drivers`
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			`- (named) dispVM 'print': firewalled, access only to remote printer/scanner`
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			`### TemplateVM 'debian-11-signal'`
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			A custom template with `signal-desktop` [installed](https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/signal.md) in a minimal debian-11 template.
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			`- dispVM 'signal'`
add user-setups 2018-05-07 08:36:42 -04:00

update for current setup 2022-04-29 01:48:42 -04:00			`### Other qubes`
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			`- a few Windows 10 qubes without network for CAD/3D drawing, programing controllers with a Windows-only toolkit, ... ;`
			`- a dedicated qube for GIS work`
			`- ...`
add user-setups 2018-05-07 08:36:42 -04:00

update for current setup 2022-04-29 01:48:42 -04:00			`DOM0 customization`
			`------------------`
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			`### Xterm`
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			Open xterm instead of xfce4-terminal: in `/etc/xdg/xfce4/helpers.rc`, set
add user-setups 2018-05-07 08:36:42 -04:00
			`~~~`
update for current setup 2022-04-29 01:48:42 -04:00			`TerminalEmulator=xterm`
add user-setups 2018-05-07 08:36:42 -04:00			`~~~`

update for current setup 2022-04-29 01:48:42 -04:00			(Xresources for xterm are in `$HOME/.Xresources`)
add user-setups 2018-05-07 08:36:42 -04:00

update for current setup 2022-04-29 01:48:42 -04:00			`### Power management`
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			- install and configure `tlp` in dom0
			- add `workqueue.power_efficient` to `GRUB_CMD_LINE` in `/etc/default/grub`
add user-setups 2018-05-07 08:36:42 -04:00

update for current setup 2022-04-29 01:48:42 -04:00			`### Productivity tweaks`
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			`Define application shortcuts with Qubes Menu -> System Tools -> Keyboard -> Application Shortcuts; for instance:`
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			- ctrl-alt C: open a calculator in qube untrusted ; shortcut: `qvm-run -q -a untrusted galculator`
			- ctrl-alt X: open a popup windows to open xterm in a given qube (script [here](https://github.com/taradiddles/qubes-os/blob/master/popup-appmenu-r4), screenshot [there](https://github.com/taradiddles/qubes-os/blob/master/popup-appmenu.screenshot.jpg)). Shortcut: `popup-appmenu xterm`.
			`- ctrl-alt F: ditto, but with firefox`
			- ctrl-alt K: open keepassxc in qube vault; shortcut: `qvm-run -q -a vault keepassxc`
add user-setups 2018-05-07 08:36:42 -04:00

update for current setup 2022-04-29 01:48:42 -04:00			`Backups`
			`-------`
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			`qvm-backup` is horribly slow and can't be used on a regular basis to backup qubes with large amounts of data. So use tasket's excellent [wyng](https://github.com/tasket/wyng-backup) backup tool.
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			`Setup (fully automated with scripts):`
add user-setups 2018-05-07 08:36:42 -04:00
update for current setup 2022-04-29 01:48:42 -04:00			- in a dedicated trusted qube based on fedora-minimal, mount a nfs share which hosts a large (ie. 500GB) file with a LUKS volume and `losetup` that file
			`- attach the newly created loop device to dom0`
			`- in dom0, attach the newly create loop device to dom0, open the LUKS volume in the trusted qubes and mount its underlying fs`
			- in dom0, run `wyng`, backup (rsync) home dir + various config files, etc.
			`- unmount, close luks, detach, shutdown trusted qube`
add user-setups 2018-05-07 08:36:42 -04:00