mirror of
https://github.com/Qubes-Community/Contents.git
synced 2024-10-01 01:05:51 -04:00
updated to reflect recent changes
This commit is contained in:
[799]
GitHub
parent
9c99c0428d
commit
10f9fa3b30
@ -3,14 +3,14 @@ this document will describe my Qubes Setup and what I did to improve the Qubes e
|
|||||||
|
|
||||||
--------
|
--------
|
||||||
# About Me
|
# About Me
|
||||||
I am working for a Berlin based IT Solution Provider.
|
Using Qubes has been a decision as I want to prove that using an alternative OS is possible.
|
||||||
Working with Linux and even more with Qubes adds some complexity, as several internal workflows but also customer projects are mainly relying on windows software and operating systems.
|
Additinally I want to keep my data as much secure as possible.
|
||||||
Using Qubes has been a decision as I want to prove that another world is possible and because I want to keep my data as much secure as possible.
|
Another benefit is that Qubes offers protection when working with one device in several customer environments.
|
||||||
Additionally Qubes offers protection when working with one device in several customer environments.
|
|
||||||
|
|
||||||
--------
|
--------
|
||||||
# My Hardware
|
# My Hardware
|
||||||
I am using three devices, depending on what I need to do.
|
I am using three devices, depending on what I need to do.
|
||||||
|
|
||||||
My main device which I use ~80% of time is the X230 Core i7 which has a 2nd Slice battery, giving me more than 8h of battery runtime.
|
My main device which I use ~80% of time is the X230 Core i7 which has a 2nd Slice battery, giving me more than 8h of battery runtime.
|
||||||
|
|
||||||
## The favorite device -> Lenovo X230
|
## The favorite device -> Lenovo X230
|
||||||
@ -26,7 +26,7 @@ It is also the last X-series laptop which supports CoreBoot and therefore I will
|
|||||||
- additional Slice-Battery 19++
|
- additional Slice-Battery 19++
|
||||||
- Coreboot with SeaBIOS
|
- Coreboot with SeaBIOS
|
||||||
- Qubes 4.1
|
- Qubes 4.1
|
||||||
- Windows 10 Enteprise (DualBoot)
|
- Windows 10 Enteprise (DualBoot, BitLocker enabled)
|
||||||
|
|
||||||
## The work horse -> Lenovo W540
|
## The work horse -> Lenovo W540
|
||||||
currently not in use, as the X230 is so versatile and the W540 doesn't run with Coreboot and has a much shorter battery runtime.
|
currently not in use, as the X230 is so versatile and the W540 doesn't run with Coreboot and has a much shorter battery runtime.
|
||||||
@ -42,44 +42,40 @@ But as we are able to se virtual desktops, mostly I am connecting to a remote de
|
|||||||
```
|
```
|
||||||
NAME STATE CLASS LABEL TEMPLATE NETVM
|
NAME STATE CLASS LABEL TEMPLATE NETVM
|
||||||
whonix-ws-14-dvm Halted AppVM red whonix-ws-14 sys-whonix
|
whonix-ws-14-dvm Halted AppVM red whonix-ws-14 sys-whonix
|
||||||
my-fedora-28-dvm Halted AppVM red t-fedora-28-apps sys-firewall
|
my-dvm Halted AppVM red t-fedora-29-apps sys-firewall
|
||||||
```
|
```
|
||||||
### My regular AppVMs
|
### My regular AppVMs
|
||||||
```
|
```
|
||||||
NAME STATE CLASS LABEL TEMPLATE NETVM
|
NAME STATE CLASS LABEL TEMPLATE NETVM
|
||||||
anon-whonix Halted AppVM red whonix-ws-14 sys-whonix
|
anon-whonix Halted AppVM red whonix-ws-14 sys-whonix
|
||||||
my-bizmail Halted AppVM yellow t-fedora-28-mail sys-firewall
|
my-bizmail Halted AppVM yellow t-fedora-29-mail sys-firewall
|
||||||
my-browsing Halted AppVM blue t-fedora-28-apps sys-vpn
|
my-browsing Halted AppVM blue t-fedora-29-apps sys-vpn
|
||||||
my-corporate Halted AppVM green t-fedora-28-work sys-firewall
|
my-corporate Halted AppVM green t-fedora-29-work sys-firewall
|
||||||
my-multimedia Halted AppVM orange t-debian-9-multimedia sys-firewall
|
my-multimedia Halted AppVM orange t-fedora-29-media sys-firewall
|
||||||
my-privmail Halted AppVM blue t-fedora-28-mail sys-firewall
|
my-privmail Halted AppVM blue t-fedora-29-mail sys-firewall
|
||||||
my-storage-access Halted AppVM gray t-fedora-28-storage sys-firewall
|
my-storage-datastore Halted AppVM gray t-fedora-29-storage sys-firewall
|
||||||
my-storage-datastore Halted AppVM gray t-fedora-28-storage sys-firewall
|
my-untrusted Halted AppVM orange t-fedora-29-apps sys-firewall
|
||||||
my-untrusted Halted AppVM orange t-fedora-28-apps sys-firewall
|
my-vault Halted AppVM black t-fedora-29-apps -
|
||||||
my-vault Halted AppVM black t-fedora-28-apps -
|
|
||||||
```
|
```
|
||||||
### My Sys-AppVMs
|
### My Sys-AppVMs
|
||||||
```
|
```
|
||||||
NAME STATE CLASS LABEL TEMPLATE NETVM
|
NAME STATE CLASS LABEL TEMPLATE NETVM
|
||||||
sys-firewall Running AppVM red t-fedora-28-sys sys-net
|
sys-firewall Running AppVM red t-fedora-29-sys sys-net
|
||||||
sys-net Running AppVM red t-fedora-28-sys -
|
sys-net Running AppVM red t-fedora-29-sys -
|
||||||
sys-usb Running AppVM red t-fedora-28-sys -
|
sys-usb Running AppVM red t-fedora-29-sys -
|
||||||
sys-vpn Running AppVM orange t-fedora-28-sys sys-net
|
sys-vpn Running AppVM orange t-fedora-29-sys sys-net
|
||||||
sys-whonix Halted AppVM black whonix-gw-14 sys-vpn
|
sys-whonix Halted AppVM black whonix-gw-14 sys-vpn
|
||||||
```
|
```
|
||||||
### My templates
|
### My templates
|
||||||
```
|
```
|
||||||
NAME STATE CLASS LABEL TEMPLATE NETVM
|
NAME STATE CLASS LABEL TEMPLATE NETVM
|
||||||
debian-9 Halted TemplateVM black - -
|
fedora-29-minimal Halted TemplateVM black - -
|
||||||
fedora-28 Halted TemplateVM black - -
|
t-fedora-29-media Halted TemplateVM black - -
|
||||||
fedora-28-minimal Halted TemplateVM black - -
|
t-fedora-20-apps Halted TemplateVM black - -
|
||||||
t-debian-9-multimedia Halted TemplateVM black - -
|
t-fedora-29-mail Halted TemplateVM black - -
|
||||||
t-fedora-28-apps Halted TemplateVM black - -
|
t-fedora-29-storage Halted TemplateVM black - -
|
||||||
t-fedora-28-mail Halted TemplateVM black - -
|
t-fedora-29-sys Halted TemplateVM black - -
|
||||||
t-fedora-28-storage Halted TemplateVM black - -
|
t-fedora-29-work Halted TemplateVM black - -
|
||||||
t-fedora-28-sys Halted TemplateVM black - -
|
|
||||||
t-fedora-28-vpn Halted TemplateVM black - -
|
|
||||||
t-fedora-28-work Halted TemplateVM black - -
|
|
||||||
whonix-gw-14 Halted TemplateVM black - -
|
whonix-gw-14 Halted TemplateVM black - -
|
||||||
whonix-ws-14 Halted TemplateVM black - -
|
whonix-ws-14 Halted TemplateVM black - -
|
||||||
```
|
```
|
||||||
@ -92,14 +88,14 @@ Additionally the setup of templates is mainly done by scripts which I can run fr
|
|||||||
Therefore it is very easy to rebuild the whole system from scratch - something which I think is important in case that you have the feeling something might be not running correctly.
|
Therefore it is very easy to rebuild the whole system from scratch - something which I think is important in case that you have the feeling something might be not running correctly.
|
||||||
|
|
||||||
I have the following two baseline-templates:
|
I have the following two baseline-templates:
|
||||||
- debian-9
|
- debian-9 (replaced 02/2019 with a fedora-29-template)
|
||||||
- fedora-28-minimal
|
- fedora-29-minimal
|
||||||
"baseline" means that those templates are never updated or changed as they are used as seed for my other templates.
|
"baseline" means that those templates are never updated or changed as they are used as seed for my other templates.
|
||||||
I qvm-clone those templates and then work on the copy.
|
I qvm-clone those templates and then work on the copy.
|
||||||
This allows me to always jump back to cleanest template and rebuild from scratch.
|
This allows me to always jump back to cleanest template and rebuild from scratch.
|
||||||
|
|
||||||
I developed a naming scheme as I have several AppVMs and TemplateVMs:
|
I developed a naming scheme as I have several AppVMs and TemplateVMs:
|
||||||
- all custom build TemplateVMs start with t-DISTRIBUTION-VERSION-NAME (for example t-fedora-28-apps is a template, whoch is based on fedora 28 minimal and has additional packages for my default (fat) Apps-VMs
|
- all custom build TemplateVMs start with t-DISTRIBUTION-VERSION-NAME. For example t-fedora-29-apps is a template, whoch is based on fedora 29 minimal and has additional packages for my default (fat) Apps-VMs
|
||||||
- all system VMs, start with sys- like sys-net, sys-firewall, sys-usb, sys-vpn
|
- all system VMs, start with sys- like sys-net, sys-firewall, sys-usb, sys-vpn
|
||||||
- all other AppVMs, start with my-PURPOSE, for example my-multimedia
|
- all other AppVMs, start with my-PURPOSE, for example my-multimedia
|
||||||
|
|
||||||
@ -110,14 +106,14 @@ Template for a Multimedia AppVM, see my [Multimedia Howto](https://www.qubes-os.
|
|||||||
- VLC
|
- VLC
|
||||||
- Spotify
|
- Spotify
|
||||||
|
|
||||||
### t-fedora-28-apps
|
### t-fedora-29-apps
|
||||||
this is my default fat AppVM template, installed packages:
|
this is my default fat AppVM template, installed packages:
|
||||||
- firefox
|
- firefox
|
||||||
- libreoffice
|
- libreoffice
|
||||||
- firefox
|
- firefox
|
||||||
- ...
|
- ...
|
||||||
|
|
||||||
### t-fedora-28-mail
|
### t-fedora-29-mail
|
||||||
this is my template for email tasks, it has installed:
|
this is my template for email tasks, it has installed:
|
||||||
- Thunderbird
|
- Thunderbird
|
||||||
- Neomutt
|
- Neomutt
|
||||||
@ -127,7 +123,7 @@ this is my template for email tasks, it has installed:
|
|||||||
I am separating email in two AppVMs for private use and corporate use.
|
I am separating email in two AppVMs for private use and corporate use.
|
||||||
attachments from those VMs will be opened in disposable AppVMs.
|
attachments from those VMs will be opened in disposable AppVMs.
|
||||||
|
|
||||||
### t-fedora-28-storage
|
### t-fedora-29-storage
|
||||||
a special template which can be used to store data into one AppVM and share it securly with others via special scripts (which I am proud of :-).
|
a special template which can be used to store data into one AppVM and share it securly with others via special scripts (which I am proud of :-).
|
||||||
- sshfs for sharing data betwenn VMs
|
- sshfs for sharing data betwenn VMs
|
||||||
- CryFS for data encryption
|
- CryFS for data encryption
|
||||||
@ -139,7 +135,7 @@ The whole setup includes 3 AppVMs:
|
|||||||
- Sync AppVM - which can sync encrypted data to onedrive (only used for getting data out of onedrive, but could be used in two directions)
|
- Sync AppVM - which can sync encrypted data to onedrive (only used for getting data out of onedrive, but could be used in two directions)
|
||||||
management of those setup is done via one (!) script which can also build the templates and AppVM.
|
management of those setup is done via one (!) script which can also build the templates and AppVM.
|
||||||
|
|
||||||
### t-fedora-28-sys
|
### t-fedora-29-sys
|
||||||
template for my sys-vms and also for VPN connectivity
|
template for my sys-vms and also for VPN connectivity
|
||||||
a VPN or ProxyVM which can be used to run all traffic through ExpressVPN.
|
a VPN or ProxyVM which can be used to run all traffic through ExpressVPN.
|
||||||
This adds a great layer of privacy to qubes as my ISP can't analyse my traffic.
|
This adds a great layer of privacy to qubes as my ISP can't analyse my traffic.
|
||||||
@ -150,9 +146,8 @@ I have written a howto [How to use ExpressVPN as ProxyVM with Qubes 4](https://g
|
|||||||
- sys-net
|
- sys-net
|
||||||
- sys-vpn
|
- sys-vpn
|
||||||
|
|
||||||
### t-fedora-28-work
|
### t-fedora-29-work
|
||||||
My work tenmplate which has Vmware Horizon View, Cisco AnyConnect, Firefox and LibreOffice installed.
|
My work tenmplate which has Vmware Horizon View, Cisco AnyConnect, Firefox and LibreOffice installed.
|
||||||
|
|
||||||
### other templates
|
### other templates
|
||||||
the Whonix templates which come preinstalled with Qubes 4
|
the Whonix templates which come preinstalled with Qubes 4
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user