Git-Mirrors/Qubes-Community-Content
1
0
Fork 0
mirror of https://github.com/Qubes-Community/Contents.git synced 2025-08-08 22:22:22 -04:00
Code Issues Projects Releases Packages Wiki Activity

Replace contents with redirects to Qubes Forum

Browse source 
https://forum.qubes-os.org/t/21746
This commit is contained in:
Andrew David Wong 2023-10-29 17:05:36 -07:00
parent dd657a2cbd
commit 2fa8015505
No known key found for this signature in database
GPG key ID: DB4DD3BC39503030
94 changed files with 94 additions and 12417 deletions
Download patch file Download diff file Expand all files Collapse all files

267
docs/customization/awesomewm.md
View file

@ -1,266 +1 @@
# AwesomeWM Customizations
This page focuses on [AwesomeWM](https://awesomewm.org) customizations specific to Qubes OS. For generic AwesomeWM customizations you might want to have a look at the [AwesomeWM website](https://awesomewm.org).
Customizations for AwesomeWM are usually done at `~/.config/awesome/rc.lua`. The default file can be found at `/etc/xdg/awesome/rc.lua`.
## Application menu
Starting from Qubes 4.0 application menu entries specific to AwesomeWM can be put into `~/.config/awesome/xdg-menu/` following the freedesktop standard. The folder might have to be created.
## Focus steal hardening
The default Qubes OS AwesomeWM installation comes with the defaults set by the AwesomeWM developers for focus changes. Some users may want more tight control over window focus changes - especially since focus changes can have security implications when sensitive data is provided to an incorrect application or even Qube.
### Definition
For the below example we'll define _wanted focus changes_ as one of the below:
* mouse move & click afterwards
* workspace/tag change
* pre-defined key combinations for focus changes (e.g. Mod-j & Mod-k)
* focused window moved to other tag <sup>1</sup>
* focused window closed <sup>1</sup>
* new window created in a workspace with only unfocused windows or in an empty workspace
(<sup>1</sup> These are allowed to cause a focus switch to another window according to a predefined algorithm as otherwise no window would be focused.)
Everything else is considered an unwanted _focus steal_.
In particular the following events are not meant to cause a focus change:
* new window created in a workspace with a focused window
* unfocused window closed
* unfocused window moved to another tag/workspace
* application request
* mouse move without click (sloppy focus)
For the below example other requests from applications to the window manager are meant to be ignored in general as well, e.g.:
* windows shouldn't be able to maximize themselves without the user giving a respective command to the WM (simple test: Firefox F11 next to another window)
* windows shouldn't be able to change their size themselves
* windows shouldn't be able to modify their borders in any way
Users may want to adjust their definitions and respective implementations according to their needs.
### Implementation
The implementation may be specific to the AwesomeWM version you're running. This guide refers to AwesomeWM version 4.3 which is available to Qubes 4.1 users.
Please keep in mind that this guide may not be conclusive. Your mileage may vary.
#### Remove unwanted focus changing key bindings
The mouse bindings
```lua
awful.button({ }, 4, awful.tag.viewnext),
awful.button({ }, 5, awful.tag.viewprev)
```
in the default _rc.lua_ may cause tag and thus focus changes without keyboard interaction and tend to happen accidentally. This doesn't suit our definition from above and should therefore be removed or commented out.
#### Adjust rules for new windows
The default window/client rule allows certain focus changes whenever new windows are created via `focus = awful.client.focus.filter`. These changes can be prevented entirely by setting `focus = false`.
Alternatively users may provide their own focus filter functions.
#### Never hide borders
By default AwesomeWM may hide window borders incl. the Qubes colors for fullscreen or maximized windows. In order to prevent that, put the following two lines at the bottom of your _rc.lua_:
```lua
beautiful.fullscreen_hide_border = false
beautiful.maximized_hide_border = false
```
#### Disable sloppy focus
In your _rc.lua_ you'll find a section such as
```lua
-- Enable sloppy focus, so that focus follows mouse.
client.connect_signal("mouse::enter", function(c)
c:emit_signal("request::activate", "mouse_enter", {raise = false})
end)
```
These enable _sloppy focus_ aka focus changes on mouse movements (without clicking) and should be removed or commented out to disable that behaviour.
#### Enable right-click focus changes
In your _rc.lua_ you should find a section which enables left-click focus changes such as
```lua
awful.button({ }, 1, function (c)
c:emit_signal("request::activate", "mouse_click", {raise = true})
end),
```
Add the following section below to enable focus changes on right mouse clicks:
```lua
awful.button({ }, 3, function (c)
c:emit_signal("request::activate", "mouse_click", {raise = true})
end),
```
If you want other mouse buttons to change the focus as well, feel free to add further entries (0 = all mouse buttons).
#### Ignore requests from applications to the window manager
Applications and running Qube windows may request from AwesomeWM to become focused.
Handling of such requests is currently mostly implemented by AwesomeWM in the file `/usr/share/awesome/lib/awful/ewmh.lua`. You can either comment out the respective `client.connect_singal()` lines in that file (it will change back after each AwesomeWM update though) or disconnect the signals in your _rc.lua_ as well as use the built-in filter functionality.
To do the latter, add the following lines to the end of your _rc.lua_:
```lua
local ewmh = require("awful.ewmh")
ewmh.add_activate_filter(function(c, context, hints) return false end, "ewmh") --ignore client requests to become focused
client.disconnect_signal("request::urgent", ewmh.urgent) --ignore client requests to become an "urgent" window
client.disconnect_signal("request::geometry", ewmh.merge_maximization) --ignore client maximization requests
client.disconnect_signal("request::geometry", ewmh.client_geometry_requests) --ignore clients requesting to move themselves
```
#### Change the autofocus implementation
The line `require("awful.autofocus")` in your _rc.lua_ loads a module that moves the focus to another window whenever a window is moved to another workspace or closed. In the AwesomeWM default implementation, this module keeps track of the order in which windows were focused and sets the focus to the last focused one whenever the currently focused window disappears.
Some users may want to modify that default behaviour.
In order to do that, you can copy the file `/usr/share/awesome/lib/awful/autofocus.lua` to e.g. `~/.config/awesome/autofocus_custom.lua` and replace the line mentioned above with `require("autofocus_custom")`.
Then you can customise the focus behavior.
For example, the following will make the focus move to the window under the mouse cursor whenever focus is lost and only use the history on tag switches:
```lua
---------------------------------------------------------------------------
--- Autofocus functions.
--
-- When loaded, this module makes sure that there's always a client that will
-- have focus on events such as tag switching, client unmanaging, etc.
--
-- @author Julien Danjou &lt;julien@danjou.info&gt;
-- @copyright 2009 Julien Danjou
-- @module awful.autofocus
---------------------------------------------------------------------------
local client = client
local aclient = require("awful.client")
local ascreen = require("awful.screen")
local timer = require("gears.timer")
local function filter_sticky(c)
return not c.sticky and aclient.focus.filter(c)
end
--- Give focus when clients appear/disappear.
--
-- @param obj An object that should have a .screen property.
function check_focus(obj)
if obj.screen == nil then return end
if not obj.screen.valid then return end
-- When no visible client has the focus...
if not client.focus or not client.focus:isvisible() then
local c = aclient.focus.history.get(screen[obj.screen], 0, filter_sticky)
if not c then
c = aclient.focus.history.get(screen[obj.screen], 0, aclient.focus.filter)
end
if c then
c:emit_signal("request::activate", "autofocus.check_focus",
{raise=false})
end
end
end
--- Check client focus (delayed).
-- @param obj An object that should have a .screen property.
local function check_focus_delayed(obj)
timer.delayed_call(check_focus, {screen = obj.screen})
end
--- Give focus on tag selection change.
--
-- @param tag A tag object
function check_focus_tag(t)
local s = t.screen
if (not s) or (not s.valid) then return end
s = screen[s]
check_focus({ screen = s })
if client.focus and screen[client.focus.screen] ~= s then
local c = aclient.focus.history.get(s, 0, filter_sticky)
if not c then
c = aclient.focus.history.get(s, 0, aclient.focus.filter)
end
if c then
c:emit_signal("request::activate", "autofocus.check_focus_tag",
{raise=false})
end
end
end
-- Clear any focus.
function clear_focus()
client.focus = nil
end
local pending = false
local glib = require("lgi").GLib
--focus the window under the mouse, if nothing is focused
--idea from https://github.com/awesomeWM/awesome/issues/2433
--fallback: true|false - fall back to the focus history, if the mouse points
-- nowhere (recommended default: false)
function check_focus_mouse(fallback)
if not pending then
pending = true
glib.idle_add(glib.PRIORITY_DEFAULT_IDLE, function()
pending = false
if not client.focus then
local c = mouse.current_client
if c then
client.focus = c
else
if fallback then
local t = ascreen.focused().selected_tag
if t then
check_focus_tag(t)
end
end
end
end
return false
end)
end
end
--further delayed variant of check_focus_mouse(), required for just created windows
local function check_focus_mouse_delayed()
timer.delayed_call(check_focus_mouse)
end
--make the focus follow the mouse on the below events, if nothing else is focused
client.connect_signal("manage", check_focus_mouse_delayed) --for empty workspaces or workspace without focused window
client.connect_signal("unmanage", check_focus_mouse_delayed)
client.connect_signal("tagged", check_focus_mouse_delayed)
client.connect_signal("untagged", check_focus_mouse_delayed)
client.connect_signal("property::hidden", check_focus_mouse_delayed)
client.connect_signal("property::minimized", check_focus_mouse_delayed)
client.connect_signal("property::sticky", check_focus_mouse_delayed)
--use history on tag switch:
tag.connect_signal("property::selected", function (t)
timer.delayed_call(check_focus_tag, t)
end)
```
You might also want to add the `check_focus_mouse()` function to your Mod-j and Mod-k implementations to be able to obtain a focused window even if no window happens to be focused.
# Troubleshooting
Issues with e.g. your `rc.lua` configuration can be identified in dom0 from the `~/.xsession-errors` log.
If AwesomeWM encounters an error, it'll also either display a red notification or return you to the display manager (usually the login screen).
This content has moved to [Qubes Forum: Community Guides](https://forum.qubes-os.org/c/guides/14). [Learn more.](https://forum.qubes-os.org/t/announcement-qubes-community-project-has-been-migrated-to-the-forum/20367/)

183
docs/customization/dark-theme.md
View file

@ -1,182 +1 @@
Dark Theme in Dom0
==================
Dark KDE in Dom0
----------------
The following text describes how to change the default light theme to a dark theme. This is just an example, feel free to adjust the appearance to your taste.
The image below shows the default light theme after installation.
![begin light theme](/attachment/wiki/Dark-Theme/kde-fresh-installed-standard.png)
This is the result after applying the steps described here.
![end result dark theme](/attachment/wiki/Dark-Theme/kde-end-result.png)
1. Change `Workspace Appearance`
1. Open the `Workspace Appearance` window
Qubes Menu -> System Tools -> System Settings -> Workspace Appearance
![Workspace Appearance](/attachment/wiki/Dark-Theme/kde-app-appearance-menu-style.png)
2. Go to `Desktop Theme`
![Desktop Menu](/attachment/wiki/Dark-Theme/kde-appearance-settings-desktop-theme-oxygen.png)
3. Select `Oxygen` and `Apply` the change
2. (Optional) Remove blue glowing task items
![blue glowing task bar items](/attachment/wiki/Dark-Theme/kde-taskbar-blue-glowing-border.png)
1. Adjust Oxygen `Details`
Qubes Menu -> System Tools -> System Settings -> Workspace Appearance -> Desktop Theme -> Details (Tab)
2. Select `Oxygen`
3. Change `Theme Item -> Task Items` from `Oxygen Task Items` to `Air Task Items`
![Change Task items look](/attachment/wiki/Dark-Theme/kde-desktop-theme-details.png)
4. Apply changes
![task bar items blue glowing removed](/attachment/wiki/Dark-Theme/kde-taskbar-blue-glowing-removed.png)
3. Change `Application Appearance`
1. Open the `Application Appearance` window
Qubes Menu -> System Tools -> System Settings -> Application Appearance
2. Go to `Colors`
![colors tab](/attachment/wiki/Dark-Theme/kde-app-appearance-menu-colors.png)
3. Select `Obsidian Coast`
![set to Obsidian Coast](/attachment/wiki/Dark-Theme/kde-app-appearance-menu-colors-set.png)
4. Apply Changes
Qubes VM Manager should now look like the image below.
![result black Qubes Manager](/attachment/wiki/Dark-Theme/kde-black-qubes-manager.png)
**Note:** Changing the `Window Decorations` from `Plastik for Qubes` will remove the border color and the VM name. The problem with `Plastik for Qubes` is that it does not overwrite the background and text color for Minimize, Maximize and Close buttons. The three buttons are therefore hard to read.
Dark XCFE in Dom0
-----------------
The following text describes how to change the default light theme to a dark theme. This is just an example, feel free to adjust the appearance to your taste.
The image below shows the default light theme after installation.
![begin light theme](/attachment/wiki/Dark-Theme/xfce-fresh-installed.png)
This is the result after applying the steps described here.
![end result dark theme](/attachment/wiki/Dark-Theme/xfce-end-result.png)
1. Change Appearance
1. Open the `Appearance` dialog
Qubes Menu -> System Tools -> Appearance
![appearance dialog](/attachment/wiki/Dark-Theme/xfce-appearance-dialog.png)
2. Change Style to `Albatross`
**Note:** The black appearance theme `Xfce-dusk` makes the VM names in the `Qubes OS Manager` unreadable.
2. *(Optional)* Change Window Manager Style
1. Open the `Window Manager` dialog
Qubes Menu -> System Tools -> Appearance
![window manager dialog](/attachment/wiki/Dark-Theme/xfce-window-manager-theme.png)
2. Change the Theme in the `Style` Tab (e. g. Defcon-IV). All available themes work.
Dark App VM, Template VM, Standalone VM, HVM (Linux Gnome)
==========================================================
Almost all Qubes VMs use default applications based on the GTK toolkit. Therefore the description below is focused on tools from the Gnome Desktop Environment.
Using "Gnome-Tweak-Tool"
------------------------
The advantage of creating a dark themed Template VM is, that each AppVM which is derived from the Template VM will be dark themed by default.
**Note:** Gnome-Tweak-Tool crashes under Archlinux. A workaround is to assign the AppVM to another TemplateVM (Debian, Fedora) which has Gnome-Tweak-Tool installed. Start the AppVM and configure the settings. Shutdown the machine and switch the TemplateVM back to Archlinux.
1. Start VM
**Note:** Remember that if you want to make the change persistent, the change needs to be made in the TemplateVM, not the AppVM.
2. Install `Gnome-Tweak-Tool`
- Fedora
sudo dnf install gnome-tweak-tool
- Debian
sudo apt-get install gnome-tweak-tool
3. *(Only AppVM)* Stop TemplateVM and start AppVM
4. Add `Gnome-Tweak-Tool` to the Application Menu
1. `Right-click` on VM entry in `Qubes VM Manager` select `Add/remove app shortcuts`
2. Select `Tweak Tool` and press the `>` button to add it
![Application Dialog](/attachment/wiki/Dark-Theme/dialog-add-gnome-tweak-tool.png)
5. Enable `Global Dark Theme`
1. *Debian only*
cd ~/.config/
mkdir gtk-3.0
cd gtk-3.0/
touch settings.ini
2. Start `Tweak Tool` from the VM application menu and set the `Global Dark Theme` switch to `on`
![Global Dark Theme enabled](/attachment/wiki/Dark-Theme/gnome-tweak-tool.png)
6. *(Optional)* Modify Firefox
**Note:** Firefox uses GTK style settings by default. This can create side effects such as unusable forms or search fields. One way to avoid this is to add the following line to `/rw/config/rc.local`:
sed -i.bak "s/Exec=firefox %u/Exec=bash -c 'GTK_THEME=Adwaita:light firefox %u'/g" /usr/share/applications/firefox.desktop
7. Restart VM or all applications
Manually
--------
Manually works for Debian, Fedora and Archlinux.
1. Start VM
**Note:** Remember that if you want to make the change persistent, the change needs to be made in the TemplateVM, not the AppVM.
2. Enable `Global Dark Theme`
cd ~/.config/
mkdir gtk-3.0
cd gtk-3.0/
touch settings.ini
Add the following lines to `settings.ini`
[Settings]
gtk-application-prefer-dark-theme=1
3. Follow steps 6 and 7 in: Using `Gnome-Tweak-Tool`
This content has moved to [Qubes Forum: Community Guides](https://forum.qubes-os.org/c/guides/14). [Learn more.](https://forum.qubes-os.org/t/announcement-qubes-community-project-has-been-migrated-to-the-forum/20367/)

186
docs/customization/dpi-scaling.md
View file

@ -1,185 +1 @@
DPI scaling
===========
Qubes OS passes on dom0's screen resolution to VMs (this can be seen in the output of `xrandr`) but doesn't pass on dom0's dpi value. Recent distributions have automatic scaling depending on the screen's resolution (eg. in fedora if the screen resolution is at least 192dpi and the screen height is greater than 1200 pixels) but for a variety of reasons one may have to set a custom dpi scaling value.
Dom0
----
The simplest way to set dpi scaling in dom0 is to use the desktop environment's custom dpi feature:
- Xfce: Qubes Menu → System Tools → Appearance → Fonts tab: Custom DPI setting: `xxx`
- KDE: Qubes Menu → System Settings → Font → Force font dpi: `xxx`
- i3: add `Xft.dpi: xxx` to `/home/user/.Xresources' in dom0
Replace `xxx` with a number that fits your setup and is a multiple of 6, as numbers that aren't sometimes result in annoying rounding errors that cause adjacent bitmap font sizes to not increment and decrement linearly.
### Qubes Applications
Qubes applications (e.g. Qubes Create VM, etc.) don't scale automatically, to solve this issue it is possible to set the `QT_SCALE_FACTOR` variables as described
[here](https://doc.qt.io/qt-6/highdpi.html#qt-scale-factor3). To test these
values first, open a terminal and type:
~~~
QT_SCALE_FACTOR=1.8 qubes-global-settings
~~~
You can try change the values for `QT_SCALE_FACTOR` to your
liking.
Once you confirmed that this is working, you can make these settings permanent
by creating a file `/etc/profile.d/dpi_QT.sh` (in dom0) with
the following content and your own values:
~~~
#!/bin/sh
export QT_SCALE_FACTOR=1.8
~~~
Then make the script executable with
~~~
sudo chmod +x /etc/profile.d/dpi_QT.sh
~~~
And logout and login again to see the results.
VMs
---
The procedure for setting DPI scaling is different depending on whether gnome settings daemon is running or not:
- if the daemon is stopped/not installed, applications honor the `Xft.dpi` [X resource](https://en.wikipedia.org/wiki/X_resources) which we can then use for scaling.
- if the daemon is running (`/usr/libexec/gsd-xsettings` process in Fedora), applications are prevented from using the `Xft.dpi` resource and `dconf` values have to set.
Notes:
- the official `fedora-xx` template has the `gnome-settings-daemon` rpm installed by default while the `fedora-xx-minimal` template doesn't.
- DPI scaling with `xterm` (or any glib apps) requires the use of a xft font:
- for `xterm`, ctrl - right click in the terminal's windows and select 'TrueType Fonts' (make sure you have such fonts installed).
- or more generally, set the `faceName` Xresource, eg.:
`*faceName: DejaVu Sans Mono:size=14:antialias=true`
You may do so temporarily with the `xrdb -merge` command, or permanently in a `Xresources` file (see section below).
### VMs without gnome settings daemon ###
Get the current value of `Xft.dpi`:
~~~
xrdb -query | grep Xft.dpi
~~~
Test with a different dpi value: in a terminal issue the following command and then start an application to check that the menus/fonts' size is increased/decreased; replace '144' with the value set in dom0 (it's possible to set a different value in VMs though):
~~~
echo Xft.dpi: 144 | xrdb -merge
~~~
Once you found a value that fits your setup you'll likely want to permanently set the `Xft.dpi` resource. You can do so on a per-template (system-wide) or per-VM basis:
- add (or modify) `Xft.dpi: xxx` in the TemplateVM's Xresource file (`/etc/X11/Xresources` or `/etc/X11/Xresources/x11-common` for whonix-ws-template).
- or, add `Xft.dpi: xxx` to `$HOME/.Xresources` in each AppVM.
### VMs with gnome settings daemon ###
We'll set the `scaling-factor` and `text-scaling-factor` dconf values in the `org.gnome.desktop.interface` schema.
Get the current values:
~~~
gsettings get org.gnome.desktop.interface scaling-factor
gsettings get org.gnome.desktop.interface text-scaling-factor
~~~
Test with different values; notes:
- windows and menu/fonts should be resized dynamically
- when running the commands below the values will be automatically written to `$HOME/.config/dconf/user`
- replace `2` and `0.75` to suit your needs (`scaling-factor` **must** be an integer though)
~~~
gsettings set org.gnome.desktop.interface scaling-factor 2
gsettings set org.gnome.desktop.interface text-scaling-factor 0.75
~~~
If `gsd-xsettings` is running but nothing happens, examine the output of `dconf dump /`. If needed, reset any `xsettings` override:
~~~
gsettings reset org.gnome.settings-daemon.plugins.xsettings overrides
~~~
To store the dconf values system-wide - eg. when customizing templateVMs - copy the following text into `/etc/dconf/db/local.d/dpi` (replace `2` and `0.75` with your values):
~~~
[org/gnome/desktop/interface]
scaling-factor=uint32 2
text-scaling-factor=0.75
~~~
Then run `dconf update`.
Note: the `scaling-factor` and `text-scaling-factor` values might already be set in an AppVM's user profile, in which case they'll override the system-wide ones. To use system-wide values, reset the user values like so in the AppVM(s):
~~~
gsettings reset org.gnome.desktop.interface scaling-factor
gsettings reset org.gnome.desktop.interface text-scaling-factor
~~~
For more information on setting system-wide dconf values see [this page](https://help.gnome.org/admin/system-admin-guide/stable/dconf-custom-defaults.html.en).
Troubleshooting
===============
Firefox and other GTK3 applications
-----------------------------------
Even when setting the correct dpi values, some applications might have very
small icons or similar elements. This usually happens in Firefox for example.
To mitigate this issue it is possible to set the `GDK_SCALE` and `GDK_DPI_SCALE`
variables as described
[here](https://wiki.archlinux.org/title/HiDPI#GDK_3_(GTK_3). To test these
values first, open a terminal and type:
~~~
export GDK_SCALE=2
export GDK_DPI_SCALE=0.5
firefox
~~~
You can try change the values for `GDK_SCALE` and `GDK_DPI_SCALE` to your
liking, but `GDK_SCALE` needs to be an integer value.
Once you confirmed that this is working, you can make these settings permanent
by creating a file `/etc/profile.d/dpi_GDK.sh` (ideally in the template VM) with
the following content and your own values:
~~~
#!/bin/sh
export GDK_SCALE=2
export GDK_DPI_SCALE=0.5
~~~
Then make the script executable with
~~~
sudo chmod +x /etc/profile.d/dpi_GDK.sh
~~~
Resources
=========
- ARCH Linux HiDPI wiki page: https://wiki.archlinux.org/index.php/HiDPI
- Gnome HiDPI wiki page: https://wiki.gnome.org/HowDoI/HiDpi
- Mozilla DPI-related Font Size Issues on Unix: https://www-archive.mozilla.org/unix/dpi.html
- Related official issue: https://github.com/QubesOS/qubes-issues/issues/1951
`Contributors: @taradiddles`
This content has moved to [Qubes Forum: Community Guides](https://forum.qubes-os.org/c/guides/14). [Learn more.](https://forum.qubes-os.org/t/announcement-qubes-community-project-has-been-migrated-to-the-forum/20367/)

289
docs/customization/fedora-minimal-template-customization.md
View file

@ -1,288 +1 @@
FEDORA Packages Recommendations
======================
(starting from a minimal template)
Template installation
------------------------------
> [dom0]#qubes-dom0-update qubes-template-fedora-26-minimal
*Note*: If you have doubts about a set of tools or package you want to install, start installing and testing it in an AppVM.
You can then reproduce it later in your TemplateVM if you are satisfied.
That is the template philosophy in QubesOS.
For more information on the uses of a minimal template read [this page][Minimal].
Standard tools installation
================
Administration (documented)
---------------------------------------------
> sudo pciutils vim-minimal less tcpdump telnet psmisc nmap nmap-ncat usbutils
*Notes*: nmap can be used to discover hosts on a network (nmap -sP [network]), especially if you are inside a Microsoft network, because your AppVM will be protected/NATted behind the Qubes firewall.
(Microsoft / home networks make heavy use of autodiscovery technologies which require clients to be in the same local network (no firewall/no NAT), eg: your printer.)
Some recommendations here: check your current network using the Network manager applet (eg: 192.168.1.65).
Then run nmap in your current AppVM/TemplateVM to search for the selected printer/equipment:
nmap -sP 192.168.1.-.
Don't forget to temporarily allow traffic via the Qubes Firewall if you are doing this in a TemplateVM.
Administration (undocumented)
-------------------------------------------------
> openssh keepassx openssl gnome-keyring man
Dependency note: keepassx rely on qt which takes ~30MB
Network VM (documented)
----------------------------------------
> NetworkManager NetworkManager-wifi network-manager-applet wireless-tools dbus-x11 tar tinyproxy iptables
Network VM (undocumented)
--------------------------------------------
> which dconf dconf-editor
*Notes*: which is required for autostart scripts
*Notes*: dconf is required to remember the VM settings that are changed (the gsetting backend will be in memory only if gconf is not installed).
Network VM (manual operations - documented)
------------------------------------------------------------------------
Search for wireless firmware matching your wireless card (to be launched in network VM)
> lspci; dnf search firmware
ProxyVM/NetworkVM for 3G Modems
--------------------------------------------
> ModemManager NetworkManager-wwan usb_modeswitch modem-manager-gui
Dependency note: modem-manager-gui relies on webkit-gtk and is optional (NetworkManager can handle the modem alone)
Source: [3GMODEM]
ProxyVM for VPNs
--------------------------------------------
Search for a VPN package for your particular vpn solution then [configure][VPNNM] NetworkManager
> dnf search NetworkManager [openvpn\|openconnect\|openswat\|...]
OR
Refer to [this guide][VPN] which includes instructions for failsafe anti-leak VPN configuration using CLI scripts. (An early discussion about OpenVPN configuration can be viewed [here][OPENVPNSETUP].) Required packages will be `iptables` in addition to VPN software such as `openvpn`.
Printer Setup
--------------------------------------------
> system-config-printer system-config-printer-applet cups
Dependency Note: depends on python3 + python3 additional libraries which takes more than 40 M once installed.
Dependency Note: cups depends on ghostscript and require installing additional printing fonts (not documented here), so it can takes several dozen of MB
Manual operations
---------------------------
- Don't forget to restart your TemplateVM or only the cups service when you installed cups (systemctl start cups)
- First you need to search for your printer. If you don't know its name or IP, search for it using nmap: check your current network using the Network manager applet (eg: 192.168.1.65). Then run nmap in your current AppVM/TemplateVM to search for the selected printer/equipement: nmap -sP 192.168.1.-. Don't forget to temporarily allow traffic via the Qubes Firewall if you are inside a TemplateVM.
- Once you identified your printer, run system-config-printer GUI to install your printer
- You may need to cancel the operation to install more adapted printer drivers (eg: if the driver cannot be found automatically). Use dnf search printername to find potential drivers (eg dnf search photosmart)
GUI recommendations
======================
Lightweight packages recommendations
---------------------------------------------------------------
> lxterminal dejavu-sans-mono-fonts dejavu-sans-fonts gnome-settings-daemon
*Note*: You need to install sans-mono fonts for the terminal or it will be unreadable (overlapping characters....), while the sans fonts are just to get nicer GUI menus.
*Scite* is a nice notepad that can also highlight scripts with very light dependencies
> scite
*Meld* allows easy comparison of two text files/ two configuration files.
> meld
*Thunar* is a light file manager usually used by xfce
> thunar thunar-volman ntfs-3g
Dependency Note: xfce4 dependencies (but still quite light ~1.4M downloads)
Miscellaneous packages
--------------------------
*pycairo* package is needed for file's contextual menu "Send to VM" to function (to actually popup dialog box and enter VM's name where the file will be sent to).
*pinentry-gtk* package is responsible for pop-up dialog window where you enter password for your password protected gpg key.
Install this package in the qube holding your password protected gpg keys.
If you do not use password protected gpg keys, there is no need to install this package.
GUI themes
-----------------
Managing GUI theme / appearance is often complex because when you do not want to depend on a specific desktop system.
For this reason, we need to customize themes for each GUI framework that our application depends on.
This often includes GTK2, GTK3 (which us a different configuration/themes than GTK2), Qt.
The appearance of Windows can only be changed in dom0, however, the appearance of all buttons, menus, icons, widgets are specific to each AppVM.
### Packages
Choose theme packages for each framework. I recommend the following documentation [THEMEPACKAGES]
> clearlooks-phenix-gtk2-theme clearlooks-phenix-gtk3-theme
You can search for other themes using `dnf search theme gtk`.
You can check your currently installed theme packages (to eventually remove them) using `rpm -qa | grep theme`.
### Tweaking theme and appearance
First you can get an insight of installed Gtk theme and see how it will appear using lxappearance.
I recommend not applying settings using lxappearance (do not click on apply) because it will create multiple configuration files.
To remove these files, follow cleanup notes.
#### Cleanup notes
~~~
rm ~/.gtkrc-2.0
rm ~/.icons/default/index.theme
rm ~/.config/gtk-3.0/settings.ini
rm ~/.config/Trolltech.conf
~~~
Cleaning the whole dconf settings is also possible by removing the following file. Please note that it will remove all preferences set for gnome application (not only the themes)
~~~
rm ~/.config/dconf/user
~~~
*Note*: lxappearance only has an effect on gtk3 themes so it won't work to change gtk2 themes (used by Firefox, Thunderbird ...).
However, it is very lightweight and can be used to identify the name and look of themes you are interested in.
Once you have the name, you can apply it using gsetting command line or gconf-editor.
*Note*: if you really want a GUI theme editor, you can install gnome-tweak-tools, but this tool has a lot
of gnome dependencies (~150MB of dependencies). You can install it and uninstall it as soon as you change your theme.
#### Testing notes
The following programs can be used to see if theme has been correctly applied:
* GTK2 program: scite, thunderbird, firefox
* GTK3 program: lxterminal
* Qt program: keepassx
*Note*: testing in a TemplateVM will not work as expected because gnome-settings-daemon is not started in TemplateVM.
so test your themes in an AppVM and then update the TemplateVM accordingly.
### Forcing theme change for all AppVM depending on a TemplateVM
This can be done for gtk themes by creating dconf global settings. I recommend reading these articles:
[DCONF1]
[DCONF2]
#### Creating global file
* Setup global config file:
> mkdir /etc/dconf/db/qubes.d
Edit/Create the following file: /etc/dconf/db/qubes.d/10-global-theme-settings:
~~~
[org/gnome/desktop/interface]
cursor-theme="Adwaita"
gtk-theme="Clearlooks-Phenix"
icon-theme="Adwaita"
font-name="Cantarell 11"
monospace-font-name="Monospace 11"
~~~
* Generate global config database
> dconf update
* Configure default user profile
Edit/Create the following file: /etc/dconf/profile/user:
~~~
user-db:user
system-db:qubes
~~~
#### Locking configuration
It should be noted that the user dconf settings stored in ~/.config/dconf/user always takes precedence over the global dconf settings.
User dconf settings can be browsed using dconf-editor GUI.
If you want to force specific settings to be applied for all user (so in our case for all AppVMs depending on the template), you need to create locks:
> mkdir /etc/dconf/db/qubes.d/locks
Edit/Create the following file: /etc/dconf/db/qubes.d/locks/theme.lock:
~~~
/org/gnome/desktop/interface/gtk-theme
~~~
Finally, regenerate the dconf database
> dconf update
### Uniform look for Qt & GTK
Getting an uniform look for Qt & GTK is not achieved yet. A good source is on the following link [UNIFORMTHEME]
Two case:
1. You installed packages of the theme you selected both for Qt, GTK2 and GTK3.
(eg: Adwaita which is the default theme. I have not found another cross framework theme on fedora default packages).
2. You want to use the GTK theme you selected for Qt but there is no qt package.
In this case QGtkStyle will take precedence and convert the style automatically.
You can verify if it is enabled by searching for "style=GTK+" in /etc/xdg/Trolltech.conf.
If style is changed to another name, it will be used instead of your GTK theme.
*Note*: check that ~/.config/Trolltech.conf in your AppVMs is not defining another "style=" because it will take precedence over your global Qt theme.
[3GMODEM]: https://www.codeenigma.com/community/blog/installing-3g-usb-modems-linux
[OPENVPNSETUP]: https://groups.google.com/forum/#!searchin/qubes-users/openvpn$20setup/qubes-users/UbY4-apKScE/lhB_ouTnAwAJ
[THEMEPACKAGES]: https://groups.google.com/forum/#!search/appvm$20theme/qubes-users/RyVeDiEZ6D0/YR4ITjgdYX0J
[DCONF1]: http://www.mattfischer.com/blog/?p=431
[DCONF2]: https://wiki.gnome.org/Projects/dconf/SystemAdministrators
[UNIFORMTHEME]: https://wiki.archlinux.org/index.php/Uniform_look_for_Qt_and_GTK_applications
[Minimal]: ../templates/fedora-minimal/
[VPNNM]: ../vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-networkmanager
[VPN]: ../vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts
This content has moved to [Qubes Forum: Community Guides](https://forum.qubes-os.org/c/guides/14). [Learn more.](https://forum.qubes-os.org/t/announcement-qubes-community-project-has-been-migrated-to-the-forum/20367/)

350
docs/customization/gaming-hvm.md
View file

@ -1,349 +1 @@
# Create a Gaming HVM
## Hardware
To have an 'HVM' for gaming, you must have
- A dedicated GPU. By dedicated, it means: it is a secondary GPU, not
the GPU used to display dom0. In 2023, 'Nvidia' and 'Amd' GPU work.
Not tested with Intel GPUs.
- A screen available for the gaming 'HVM'. (It can be a physical
monitor or just to have multiple cables connected to the screen and
switching between input source)
- Dedicated gaming mouse and keyboard.
- A lot of patience. GPU passthrough is not trivial, and you will need
to spend time debugging.
## IOMMU Group
You need to check what are the things/devices that are in the same IOMMU
group as the GPU you want to passthrough. You can't see your IOMMU Group
when you are using Xen (the information is hidden from dom0). So, start
a live linux distribution, enable iommu in the grub options (iommu=1
iommu_amd=on), and then displayed the folder structure of
/sys/kernel/iommu_group
``` bash
#!/bin/bash
shopt -s nullglob
for g in /sys/kernel/iommu_groups/*; do
echo "IOMMU Group ${g##*/}:"
for d in $g/devices/*; do
echo -e "\t$(lspci -nns ${d##*/})"
done
done
```
## GRUB modification
You must hide your secondary GPU from dom0. To do that, you have to
modify the GRUB. In a dom0 Terminal, type:
``` bash
qvm-pci
```
Then find the devices id for your secondary GPU. In my case, it is
`dom0:0a_00.0`{.text} and `dom0:0a_00.1`{.text}. Edit /etc/default/grub,
and add the PCI hiding.
``` text
GRUB_CMDLINE_LINUX="... rd.qubes.hide_pci=0a:00.0,0a:00.1 "
```
then regenerate the grub
``` bash
grub2-mkconfig -o /boot/grub2/grub.cfg
```
If you are using UEFI, the file to override with `grub2-mkconfig`{.text}
is `/boot/efi/EFI/qubes/grub.cfg`{.text}.
Note: if after this step when you reboot the computer you get stuck in
the QubesOS startup that means you are trying to use the GPU you just
hide. Check your BIOS options. Also check the cables, BIOS have some GPU
priority based on the type of cable. For example, DisplayPort can be
favoured over HDMI.
Once you have rebooted, in dom0, type `sudo lspci -vvn`{.bash}, you
should see "Kernel driver in use: pciback" for the GPU you just hide.
## Patching stubdom-linux-rootfs.gz
[github.com/QubesOS/qubes-issues/issues/4321](https://github.com/QubesOS/qubes-issues/issues/4321#issuecomment-423011787)
Copy-paste of the comment:
This is caused by the default TOLUD (Top of Low Usable DRAM) of 3.75G
provided by qemu not being large enough to accommodate the larger BARs
that a graphics card typically has. The code to pass a custom
max-ram-below-4g value to the qemu command line does exist in the
libxl_dm.c file of xen, but there is no functionality in libvirt to add
this parameter. It is possible to manually add this parameter to the
qemu commandline by doing the following in a dom0 terminal. (I modified
the code so it works with 4.1 and remove one of the original limitations
by restricting the modification to VM with a name starting with
"gpu\_\")
``` bash
mkdir stubroot
cp /usr/libexec/xen/boot/qemu-stubdom-linux-rootfs stubroot/qemu-stubdom-linux-rootfs.gz
cd stubroot
gunzip qemu-stubdom-linux-rootfs.gz
cpio -i -d -H newc --no-absolute-filenames < qemu-stubdom-linux-rootfs
rm qemu-stubdom-linux-rootfs
nano init
```
Before the line
``` text
# $dm_args and $kernel are separated with \n to allow for spaces in arguments
```
add:
``` bash
# Patch 3.5 GB limit
vm_name=$(xenstore-read "/local/domain/$domid/name")
# Apply the patch only if the qube name start by "gpu_"
if [ $(echo "$vm_name" | grep -iEc '^gpu_' ) -eq 1 ]; then
dm_args=$(echo "$dm_args" | sed -n '1h;2,$H;${g;s/\(-machine\nxenfv\)/\1,max-ram-below-4g=3.5G/g;p}')
fi
```
Then execute:
``` bash
find . -print0 | cpio --null -ov \
--format=newc | gzip -9 > ../qemu-stubdom-linux-rootfs
sudo mv ../qemu-stubdom-linux-rootfs /usr/libexec/xen/boot/
```
Note that this will apply the change to the HVM with a name starting
with \"gpu\_\". So you need to name your gaming HVM \"gpu_SOMETHING\".
## Preparing the guest
As of 2023, I recommend using a Linux guest instead of a window guest.
### Windows
Install a window VM, you can use this
[qvm-create-windows-qube](https://github.com/elliotkillick/qvm-create-windows-qube)
### Linux
Create a new standalone Qube based on the template of your choice.
You must run the kernel provided by the guest distribution, because we
will use some non-default kernel module for the GPU driver. Just follow
the doc:
[managing-vm-kernel](https://www.qubes-os.org/doc/managing-vm-kernel/#distribution-kernel).
Install the GPU drivers you need.
## Pass the GPU
In qubes settings for the HVM, go to the 'devices' tab, pass the ID
corresponding to your GPU.
You may or may not need to add the option \"permissive\" or
\"no-strict-reset\".
[Some word about the security implication of thoses
parameters.](https://www.qubes-os.org/doc/device-handling-security/#pci-security)
``` bash
qvm-pci attach gpu_gaming_archlinux dom0:0a_00.0 -o permissive=True -o no-strict-reset=True
qvm-pci attach gpu_gaming_archlinux dom0:0a_00.1 -o permissive=True -o no-strict-reset=True
```
## Starting the guest
This is where you will have a lot of issues to debug.
For Linux guests, run 'sudo dmesg' to have all the kernel log indicating
you if there is a issue with your GPU driver. For some hardware, the MSI
calls won't work. You can work around that using for example
`pci=nomsi`{.text} or `NVreg_EnableMSI=0`{.text} or something else.
Check your drivers options. Check if alternative drivers exist (amdgpu,
nvidia, nouveau, nvidia-open, using drivers from the official website,
...). Check multiple kernel version.
Some links that could help you to debug the issues you will have
- https://forum.qubes-os.org/t/ryzen-7000-serie/
- https://dri.freedesktop.org/docs/drm/gpu/amdgpu.html
For windows guests you will probably have the same issues but it will be
harder to debug. I recommend using the drivers from Windows Update
instead of the official drivers from the website of the constructor.
Some things that may be useful for debugging:
- Virsh (start, define, \...)
- /etc/libvirt/libxl/
- xl
- /etc/qubes/templates/libvirt/xen/by-name/
- /usr/lib/xen/boot/
- virsh -c xen:/// domxml-to-native xen-xm /etc/libvirt/libxl/\...
Issues with the drivers could be related to
'qubes-vmm-xen-stubdom-linux', 'qubes-vmm-xen', and the Linux kernel you
will be using.
## Linux guest --- Integration with QubesOS
### Xorg
Now Xorg and Pulseaudio. From XKCD:
[![image](x11){width="\\linewidth"}](https://xkcd.com/963/)
Things you need to install:
- The Xorg input driver to support your mouse and keyboard
- A pulseaudio gui client
- Your favorite Windows Manager
In my case, it is:
``` bash
apt install xserver-xorg-input-kbd xserver-xorg-input-libinput xserver-xorg-input-mouse pavucontrol i3
```
Then create a XORG configuration file for your GPU and screen. My file
named 'AOC.conf':
``` xorg.conf
Section "ServerLayout"
Identifier "Gaming"
Screen 0 "AMD AOC" Absolute 0 0
EndSection
Section "Device"
Identifier "AMD"
# name of the driver to use. Can be "amdgpu", "nvidia", or something else
Driver "amdgpu"
# The BusID value will change after each qube reboot.
BusID "PCI:0:8:0"
EndSection
Section "Monitor"
Identifier "AOC"
VertRefresh 60
# https://arachnoid.com/modelines/ . IMPORTANT TO GET RIGHT. MUST ADJUST WITH EACH SCREEN.
Modeline "1920x1080" 172.80 1920 2040 2248 2576 1080 1081 1084 1118
EndSection
Section "Screen"
Identifier "AMD AOC"
Device "AMD"
Monitor "AOC"
EndSection
```
We can't know what is the correct BusID before the qube is started. And
it change after each reboot. So let's write a script --- named
\"xorgX1.sh\" --- that update this configuration file with the correct
value, then start a binary on the Xorg X screen n°1.
``` bash
#!/bin/bash
binary=${1:?binary required}
# Find the correct BusID of the AMD GPU, then set it in the Xorg configuration file
pci=$(lspci | grep "VGA" | grep "NVIDIA|AMD/ATI" | cut -d " " -f 1 | cut -d ":" -f 2 | cut -d "." -f 1 | cut -d "0" -f 2)
sed -i "s/PCI:0:[0-9]:0/PCI:0:$pci:0/g" /home/user/AOC.conf
# Pulseaudio setup
sudo killall pulseaudio
sudo sed -i "s/load-module module-vchan-sink.*/load-module module-vchan-sink domid=$(qubesdb-read -w /qubes-audio-domain-xid)/" /etc/pulse/qubes-default.pa
sudo rm /home/user/.pulse/client.conf
start-pulseaudio-with-vchan
sleep 5 && sudo chmod -R 777 /root/ &
sleep 5 && sudo chmod -R 777 /root/* &
sleep 5 && sudo cp /root/.pulse/client.conf /home/user/.pulse/client.conf && sudo chown -R user:user /home/user/.pulse/client.conf &
setxkbmap fr
sudo setxkbmap fr
# Start the Xorg server for the X screen number 1.
# The X screen n°0 is already used for QubesOS integration
sudo startx "$binary" -- :1 -config /home/user/AOC.conf
```
### Pulseaudio
So you need to configure pulseaudio for Xorg multiseat. The archlinux
documentation explain that very well: [Xorg
multiseat](https://wiki.archlinux.org/index.php/Xorg_multiseat#Multiple_users_on_single_sound_card:_PulseAudio)
Use the option without system-mode deamon and adapt it to qube: Add the
following line to /etc/pulse/qubes-default.pa
``` bash
load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1
```
Then add this config for root:
``` bash
mkdir /root/.pulse
echo "default-server = 127.0.0.1" > /root/.pulse/client.conf
```
The sound was buggy/laggy on my computer. So tried to find a workaround
by playing with pulseaudio settings. It was more or less random tries,
so I can't really explain it: In `/etc/pulse/daemon.conf`{.text} add the
following lines:
``` bash
default-fragments = 60
default-fragment-size-msec = 1
high-priority = no
realtime-scheduling = no
nice-level = 18
```
In `/etc/pulse/qubes-default.pa`{.text} change
``` bash
load-module module-udev-detect
```
to
``` bash
load-module module-udev-detect tsched=0
```
You can launch you favorite Windows Manager like that
``` bash
sudo ./xorgX1.sh /usr/bin/i3
```
### References
- [Archlinux:
PulseAudio](https://wiki.archlinux.org/index.php/PulseAudio)
- [Archlinux:
PulseAudio/Troubleshooting](https://wiki.archlinux.org/index.php/PulseAudio/Troubleshooting)
This content has moved to [Qubes Forum: Community Guides](https://forum.qubes-os.org/c/guides/14). [Learn more.](https://forum.qubes-os.org/t/announcement-qubes-community-project-has-been-migrated-to-the-forum/20367/)

86
docs/customization/language-localization.md
View file

@ -1,85 +1 @@
Language Localization
=====================
Enable UTF-8 in dom0 title bars
-------------------------
You can enable UTF-8 characters in the title bar for all (non-Windows) qubes or on a per-qube basis. For an individual qube, this can be done using the Qube Manager's `Advanced` tab or, in a `dom0` terminal, via the command
`qvm-features <VMname> gui-allow-utf8-titles true`
To change this given GUI option globally, set this feature in the Qube Manager's `Global Settings` plane, which will apply to all qubes using the GuiVM under which Qube Manager is running (usually `dom0`, or possibly in one of the alternative GuiVMs `sys-gui` or `sys-gui-gpu`). To set this property globally for all qubes running under a certain GuiVM, e.g. `dom0`, use the command
`qvm-features dom0 gui-default-allow-utf8-titles true`
or accordingly.
**Note:** This does not work for Windows qubes.
Changing the language of dom0
-----------------------------
In order to install an additional language in `dom0`, e.g. German: In a `dom0` terminal, execute
`sudo qubes-dom0-update langpacks-de`
Then reboot.
Before logging in, the task panel will show - usually far to the right - the current language, e.g. `C.UTF-8`. Clicking on this value will open a menu where you can select the GUI language, i.e. the interface language of Qubes used in `dom0` and in the menus, like Whiskers. Note, however, that the language of some Qubes utilities like the Qube Manager does not change, and any Templates and AppVMs based on these Templates retain their language.
This need only be done once; the selected language survives logging out and reboot.
Changing the language of Templates and the AppVMs based on them
---------------------------------------------------------------
To change the language of existing Templates, you have to install the language packs in these Templates.
For Fedora-based Templates, this is done (for German as an example) via
`sudo dnf install langpacks-de`
For debian-based Templates, the corresponding command is
`sudo apt-get install language-pack-de language-pack-gnome-de language-pack-de-base language-pack-gnome-de-base`
For other languages, the corresponding code has to be used, e.g. `fr` for French. After installing a language, it has to be selected/enabled via the settings of the Template.
New Templates will be installed in their default language, usually English, and they have to be changed just like existing Templates. This could be alleviated by installing a “clean” Template from the repository, with nothing but the needed language packs before starting to create a new templateclone using one of these languages. For instance, when you need a totally new Template (e.g., Debian 12 when it comes out), youll have to create debian-12-de and regenerate all other Templates from that.
The language of Windows Templates is determined at the installation of the operating system and can be changed afterwards if the installed edition is a multi-language edition; otherwise the language stays fixed.
AppVMs started after this change will inherit the language from the corresponsing Template.
How to set up pinyin input in Qubes
-----------------------------------
The pinyin input method will be installed in a TemplateVM to make it available after restarts and across multiple AppVMs.
1. In a TemplateVM, install `ibus-pinyin` via the package manager or terminal.
If the template is Fedora-based, run `sudo dnf install ibus-pinyin`.
If the template is Debian-based, run `sudo apt install ibus-pinyin`
2. Shut down the TemplateVM.
3. Start or restart an AppVM based on the template in which you installed `ibus-pinyin` and open a terminal.
4. Run `ibus-setup`.
5. You will likely get an error message telling you to paste the following into your bashrc:
export GTK_IM_MODULE=ibus
export XMODIFIERS=@im=ibus
export QT_IM_MODULE=ibus
Copy the text into your `~/.bashrc` file with your favorite text editor.
You will need to do this for any AppVM in which you wish to use pinyin input.
6. Set up ibus input as you like using the graphical menu (add pinyin or intelligent pinyin to selections).
You can bring the menu back by issuing `ibus-setup` from a terminal.
7. Set up your shortcut for switching between inputs.
By default it is super-space.
If `ibus-pinyin` is not enabled when you restart one of these AppVMs, open a terminal and run `ibus-setup` to activate ibus again.
For further discussion, see [this qubes-users thread](https://groups.google.com/forum/#!searchin/qubes-users/languge/qubes-users/VcNPlhdgVQM/iF9PqSzayacJ).
This content has moved to [Qubes Forum: Community Guides](https://forum.qubes-os.org/c/guides/14). [Learn more.](https://forum.qubes-os.org/t/announcement-qubes-community-project-has-been-migrated-to-the-forum/20367/)

79
docs/customization/mirage-firewall.md
View file

@ -1,78 +1 @@
Mirage Firewall
===============
A unikernel firewall for Qubes OS.
This site will help collecting information about the mirage firewall, an interesting project from "talex5".
To learn more about the Mirage Firewall, please make sure to read
- https://github.com/mirage/qubes-mirage-firewall
- https://github.com/mirage/qubes-mirage-firewall/blob/master/README.md
The Mirage Firewall for Qubes OS is a low ressource firewall, which uses a much smaller footprint
compared to the default ("fat") sys-firewall.
This page is only to write down how to build the mirage firewall for Qubes OS.
Please make sure to read the above links to understand more about it.
Most information from here has been put together reading the original docs above and following the discussion in the Qubes OS User Mailinglist / Google Groups:
https://groups.google.com/forum/#!topic/qubes-users/xfnVdd1Plvk
Build process on Qubes 4
========================
```
MirageFWBuildVM=my-mirage-buildvm
TemplateVM=fedora-29
MirageFWAppVM=sys-mirage-fw2
# create a new VM
qvm-create $MirageFWBuildVM --class=AppVM --label=red --template=$TemplateVM
# Resize private disk to 10 GB
qvm-volume resize $MirageFWBuildVM:private 10GB
# Create a symbolic link to safe docker into the home directory
qvm-run --auto --pass-io --no-gui $MirageFWBuildVM \
'sudo mkdir /home/user/var_lib_docker && \
sudo ln -s /var/lib/docker /home/user/var_lib_docker'
# Install docker and git ~2min
qvm-run --pass-io --no-gui $MirageFWBuildVM \
'sudo qvm-sync-clock && \
sudo dnf -y install docker git'
# Launch docker
qvm-run --pass-io --no-gui $MirageFWBuildVM \
'sudo systemctl start docker'
# Download and build mirage for qubes ~11min
qvm-run --pass-io --no-gui $MirageFWBuildVM \
'git clone https://github.com/mirage/qubes-mirage-firewall.git && \
cd qubes-mirage-firewall && \
git pull origin pull/52/head && \
sudo ./build-with-docker.sh'
# Copy the new kernel to dom0
cd /var/lib/qubes/vm-kernels
qvm-run --pass-io $MirageFWBuildVM 'cat qubes-mirage-firewall/mirage-firewall.tar.bz2' | tar xjf -
# create a new mirage fw appvm
qvm-create \
--property kernel=mirage-firewall \
--property kernelopts=None \
--property memory=32 \
--property maxmem=32 \
--property netvm=sys-net \
--property provides_network=True \
--property vcpus=1 \
--property virt_mode=pv \
--label=green \
--class StandaloneVM \
$MirageFWAppVM
# Change default NetVM to Mirage FW
qvm-start $MirageFWAppVM
qubes-prefs --set default_netvm $MirageFWAppVM
```
This content has moved to [Qubes Forum: Community Guides](https://forum.qubes-os.org/c/guides/14). [Learn more.](https://forum.qubes-os.org/t/announcement-qubes-community-project-has-been-migrated-to-the-forum/20367/)

89
docs/customization/removing-templatevm-packages.md
View file

@ -1,88 +1 @@
# Removing TemplateVM Packages
When removing any packages from a default TemplateVM, be sure to check what's being removed by `apt autoremove` or `dnf`.
When removing certain packages, for instance Thunderbird, `apt` and `dnf` will attempt to remove many packages required by qubes for the template to function correctly under qubes.
As an example from a terminal in a TemplateVM:
```shell_session
$ sudo apt remove thunderbird
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
debugedit libjs-sphinxdoc libjs-underscore librpm3 librpmbuild3 librpmio3
librpmsign3 libsqlite0 linux-headers-4.9.0-6-amd64
linux-headers-4.9.0-6-common linux-image-4.9.0-6-amd64 python-backports-abc
python-cffi-backend python-concurrent.futures python-croniter
python-cryptography python-dateutil python-enum34 python-idna
python-iniparse python-ipaddress python-jinja2 python-libxml2 python-lzma
python-markupsafe python-msgpack python-openssl python-pyasn1 python-pycurl
python-requests python-rpm python-singledispatch python-six python-sqlite
python-sqlitecachec python-tornado python-tz python-urlgrabber
python-urllib3 python-xpyb python-yaml qubes-core-agent-dom0-updates
qubes-core-agent-passwordless-root qubes-gpg-split qubes-img-converter
qubes-input-proxy-sender qubes-mgmt-salt-vm-connector qubes-pdf-converter
qubes-usb-proxy rpm rpm-common rpm2cpio salt-common salt-ssh usbutils yum
yum-utils
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
icedove lightning qubes-thunderbird qubes-vm-recommended thunderbird
0 upgraded, 0 newly installed, 5 to remove and 0 not upgraded.
After this operation, 151 MB disk space will be freed.
Do you want to continue? [Y/n]
```
Note all of the qubes packages are tracked as dependencies that will no longer be required. `apt remove` will only remove the packages listed, which is ok.
If, however you also run `apt autoremove` the other qubes packages necessary for TemplateVMs will be removed.
If you'd still like to remove one of these applications without breaking your TemplateVM you have a couple different options.
## Removing Only Packages Not Needed for a Qubes TemplateVM
### Debian
1. In your TemplateVM terminal run:
```shell_session $ apt remove package-name```
Note the packages "no longer required"
2. If the list of "no longer required" packages includes anything beginning with `qubes-` or `salt-` make a note to yourself to **never** run `$ sudo apt autoremove` on this TemplateVM
**Recommended but optional:** Use `apt-mark` to make `apt autoremove` safe again.
```shell_session
$ sudo apt-mark manual package-name package-name
```
Replace package-names with actual `qubes-*` and `salt-*` packages you'd like to retain.
For example, still in your TemplateVM terminal:
```shell_session
$ sudo apt-mark manual qubes-core-agent-dom0-updates qubes-core-agent-passwordless-root qubes-gpg-split qubes-img-converter qubes-input-proxy-sender qubes-mgmt-salt-vm-connector qubes-pdf-converter salt-common salt-ssh qubes-usb-proxy
```
`$ apt autoremove` should now be safe to use.
### Fedora
In your TemplateVM terminal, run:
```shell_session
$ dnf remove --noautoremove package-name
```
## Recovering A TemplateVM which you've already removed needed qubes-* packages
If you've already removed packages, run `apt autoremove` and restarted your VM you've lost passwordless sudo access.
You can login as root, open a terminal in dom0 and run:
```shell_session
$ qvm-run -u root vmname xterm
```
This will open an xterm terminal in the TemplateVM named `vmname`
Once you're logged in as root, reinstall these packages & their dependencies:
### Debian
```shell_session
$ sudo apt install qubes-core-agent-dom0-updates qubes-core-agent-passwordless-root qubes-gpg-split qubes-img-converter qubes-input-proxy-sender qubes-mgmt-salt-vm-connector qubes-pdf-converter salt-common salt-ssh
```
### Fedora
Similar to Debian for example (package names may vary):
```shell_session
$ sudo dnf install qubes-core-agent-dom0-updates qubes-core-agent-passwordless-root qubes-gpg-split qubes-img-converter qubes-input-proxy-sender qubes-mgmt-salt-vm-connector qubes-pdf-converter salt-common salt-ssh
```
This content has moved to [Qubes Forum: Community Guides](https://forum.qubes-os.org/c/guides/14). [Learn more.](https://forum.qubes-os.org/t/announcement-qubes-community-project-has-been-migrated-to-the-forum/20367/)

129
docs/customization/screenlockers.md
View file

@ -1,128 +1 @@
# Custom screenlockers in Qubes OS
## Security Considerations
Most people use screenlockers on a daily basis to prevent unauthorized access to their computers during
e.g. coffee breaks. The screen lock functionality is thereby often part of a screensaver.
Qubes OS uses `xscreensaver' for that.
While screenlockers cannot be assumed to withstand serious attacks, most users likely assume that
they cannot be bypassed within very little time. They also assume that screenlockers don't tend to
fail after a while.
Unfortunately both of these assumptions usually don't hold:
- If one of the parent processes of a screenlocker (e.g. the X server) dies or restarts unexpectedly, the
screen locker will die and leave the screen unprotected. X server restarts may happen with various graphic
driver bugs, e.g. on something as simple as plugging a laptop into a docking station with a monitor.
- Screenlockers [tend to have bugs](https://www.jwz.org/blog/2015/04/i-told-you-so-again/) or
[bad/outdated design](http://blog.martin-graesslin.com/blog/2015/01/why-screen-lockers-on-x11-cannot-be-secure/).
- Other applications may request the screenlocker to be cleared or otherwise display
information [in front of the screenlocker window](https://github.com/QubesOS/qubes-issues/issues/5908).
The default Qubes OS `xscreensaver` also suffers from these issues, but at least has high hardware coverage.
The Qubes OS design also helps to limit the scope of some of these issues (e.g. only dom0 applications can
request the screensaver to quit).
In general it is _not_ advisable to rely on screenlocker security for anything serious.
See [qubes-issues](https://github.com/QubesOS/qubes-issues/issues/1917) for further discussions.
## Configuring a custom screenlocker
Qubes OS can be configured to use whatever screenlocker you prefer.
Thanks to `xss-lock` and `xflock4` (by default started via `/etc/xdg/autostart/xfce4-xss-lock.desktop`)
the below screenlockers should work right after their installation in dom0:
- `xscreensaver-command -lock`
- `gnome-screensaver-command --lock`
- `xlock -mode blank`
- `slock`
If you have multiple screenlockers installed, you might have to remove the others first.
For other screenlockers you have to use the following dom0 command to enable them:
```
xfconf-query -c xfce4-session -p /general/LockCommand -s "[command to start your screenlocker]" --create -t string
```
Set an empty command to disable them.
**Important Note**:
`xss-lock` continually requests a timeout (the one set via `xset s`) from the X server and if that timeout is hit,
it executes `xflock4`, which in turn executes your screenlocker.
However any bug in `xss-lock` (e.g. [this one](https://bugs.archlinux.org/task/64771) or possibly even just a X server disconnect),
may cause that trigger to _not_ happen. I.e. do **not** rely on that trigger for anything sensible, but use a keyboard screenlocker
hotkey instead!
## Physlock
[physlock](https://github.com/muennich/physlock) is an interesting screenlocker alternative as it simply uses the
tty logon mechanism as screen locking mechanism. It does not depend on the X server and is therefore not affected by
unexpected X server restarts.
The below instructions provide an example of how to install and configure a non-default screenlocker.
### Installation
1. Install its build dependencies in dom0: `sudo qubes-dom0-update gcc make pam-devel systemd-devel`
2. Download the [physlock source code](https://github.com/muennich/physlock), verify its tag signatures
and copy it to dom0.
3. Follow the build and install instructions of its [README](https://github.com/muennich/physlock/blob/master/README.md).
4. In particular make sure to follow its PAM-related instructions (if you run into an endless `authentication failed`
loop on locking later, you likely forgot this point).
### Configuration
1. physlock uses the dom0 root password for unlocking, i.e. you'll have to set one with `sudo passwd`.
2. Create a helper script at `/usr/bin/screenlock`:
```
#!/bin/bash
function isRunning {
pgrep -a '^physlock$'
}
#parse args
keep_open=1
if [[ "$1" == "--keep-open" ]] ; then
keep_open=0
shift
fi
#NOTE: for some sreason the full path is required below for xss-lock
isRunning || { /usr/local/bin/physlock -dms "$@" ; sleep 1 ; }
#Idea:
#make xss-lock think that it controls the screenlocker, but in fact it doesn't
#reason: xss-lock may crash and we don't want it to take down the screen lock
if [ $keep_open -eq 0 ] ; then
stime=10
while isRunning ; do
echo "Sleeping for ${stime}s..."
sleep $stime
done
fi
exit 0
```
3. Make it executable with `chmod +x /usr/bin/screenlock`.
4. Make sure `/etc/xdg/autostart/xfce4-xss-lock.desktop` exists with `xss-lock xflock4` (does exist by default in Qubes OS 4).
5. As regular user, run `xfconf-query -c xfce4-session -p /general/LockCommand -s "/usr/bin/screenlock --keep-open" --create -t string` in dom0.
6. If you need audio during the screen lock, run `sudo usermod -a -G audio [your user]`.
You can then use the command `screenlock` for custom hotkeys etc.
To set the screenlocker timeout, use the xfce GUI or `xset`.
For example you could create `/etc/xdg/autostart/xset.desktop` with the following content to set a timeout of 610s on startup:
```
[Desktop Entry]
Name=xset
Comment=Set screensaver timeout
Exec=bash -c 'sleep 60 && xset s 610'
Terminal=false
Type=Application
StartupNotify=false
```
This content has moved to [Qubes Forum: Community Guides](https://forum.qubes-os.org/c/guides/14). [Learn more.](https://forum.qubes-os.org/t/announcement-qubes-community-project-has-been-migrated-to-the-forum/20367/)

98
docs/customization/secbrowser.md
View file

@ -1,97 +1 @@
SecBrowser
==========
NOTE: [SecBrowser is deprecated](https://www.whonix.org/wiki/SecBrowser).
[SecBrowser](https://www.whonix.org/wiki/SecBrowser_™_in_Qubes_OS) is a security-focused browser that provides vulnerability surface reduction for users that need high security, thereby reducing the risk of infection from malicious, arbitrary code. A built-in security slider provides enhanced usability, as website features which have historically been used as attack vectors (like JavaScript) can be easily disabled. Without any customization, SecBrowsers default configuration offers better security than Firefox, Google Chrome or Microsoft Edge.<sup>[[1]](https://2019.www.torproject.org/projects/torbrowser/design/)</sup> It also provides better protections from online tracking, [fingerprinting](https://www.whonix.org/wiki/Data_Collection_Techniques) and the [linkability](https://www.whonix.org/wiki/Data_Collection_Techniques#Fingerprinting_of_Browser_.28HTTP.29_Header) of activities across different websites.
SecBrowser is a derivative of the Tor Browser Bundle, but without Tor. This means unlike Tor Browser, SecBrowser does not route traffic over the Tor network. Even without the aid of the Tor network, SecBrowser still benefits from the numerous [patches](https://gitweb.torproject.org/tor-browser.git) that Tor developers have merged into the code base. Even with developer skills, these enhancements would be arduous and time-consuming to duplicate in other browsers, with the outcome unlikely to match SecBrowser's many security benefits. While browser extensions can be installed to mitigate specific attack vectors, this ad hoc approach is insufficient. SecBrowser leverages the combines experience and knowledge of the Tor Project developers, Whonix developers and the battle-tested Tor Browser.
Security Enhancements
------------------------------------
**Table:** _SecBrowser Security and Privacy Benefits_
| **Features** | **Description** |
|---------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| HTTPS Everywhere | This browser extension encrypts communications with many major websites, making your browsing more secure.<sup>[[2]](https://www.eff.org/https-everywhere)</sup> |
| NoScript | NoScript can provide significant protection with the correct configuration.<sup>[[3]](https://en.wikipedia.org/wiki/NoScript)</sup> NoScript blocks active (executable) web content and protects against [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) (XSS). "The add-on also offers specific countermeasures against security exploits". |
| DNS and Proxy Configuration Obedience | Proxy obedience is achieved through custom patches, Firefox proxy settings, and build flags. Plugins which can bypass proxy setting are disabled.<sup>[[4]](https://2019.www.torproject.org/projects/torbrowser/design/#proxy-obedience)</sup> |
| Reproducible Builds | Build security is achieved through a reproducible build process that enables anyone to produce byte-for-byte identical binaries to the ones the Tor Project releases.<sup>[[5]](https://blog.torproject.org/deterministic-builds-part-two-technical-details)</sup><sup>[[6]](https://2019.www.torproject.org/projects/torbrowser/design/#BuildSecurity)</sup> |
| Slider Security | Enables improved security by disabling certain web features that can be used as attack vectors.<sup>[[7]](https://tb-manual.torproject.org/security-slider/)</sup><sup>[[8]](https://2019.www.torproject.org/projects/torbrowser/design/#proxy-obedience)</sup> |
| WebRTC Disabled by Default | WebRTC can compromise the security of VPN tunnels, by exposing the external (real) IP address of a user.<sup>[[9]](https://en.wikipedia.org/wiki/WebRTC#Concerns)</sup><sup>[[10]](https://torrentfreak.com/huge-security-flaw-leaks-vpn-users-real-ip-addresses-150130/)</sup> |
Settings
--------
While SecBrowser has numerous security enhancements they can come at a cost of decreased usability. Since it is also highly configurable, security settings and behavior can be customized according to personal requirements.
* **Private Browsing Mode:** In the default configuration Tor Browser has private browsing mode enabled. This setting prevents browsing and download history as well as cookies from remaining persistent across browser restarts. While private browsing mode increases security, usability can be affected to the point that some websites will not function properly or not at all.<sup>[[11]](https://trac.torproject.org/projects/tor/ticket/10569)</sup> To enhance usability SecBrowser comes packaged with a custom `user_pref` that disables private browsing mode. If privacy is paramount users can enable private browsing mode by commenting out the corresponding user preference.
* **Security Slider:** By default the security slider is set to "Safest" which is the highest security setting.This will prevent some web pages from functioning properly, so security needs must be weighed against the degree of usability that is required.
* **Persistent NoScript Settings:** SecBrowser includes a `user_pref` that allows custom NoScript settings to persist across browser sessions. This is a security vs usability trade-off.
* **Remember Logins and Passwords for Sites:** To increase usability, users have the option to save site login information such as user names or passwords.
Privacy and Fingerprinting Resistance
-------------------------------------
Research from a pool of 500,000 Internet users has shown that the vast majority (84%) have unique browser configurations and version information which makes them trackable across the Internet. When Java or Flash is installed, this figures rises to 94%.<sup>[[12]](https://www.eff.org/deeplinks/2010/05/every-browser-unique-results-fom-panopticlick)</sup> SecBrowser shares the fingerprint with around [three million](https://metrics.torproject.org/userstats-relay-country.html) other Tor Browser users, which allows people who use SecBrowser to "blend in" with the larger population and better protect their privacy.
The [EFF has found](https://www.eff.org/deeplinks/2010/05/every-browser-unique-results-fom-panopticlick) that while most browsers are uniquely fingerprintable, resistance is afforded via four methods:
* Disabling JavaScript with tools like NoScript.
* Use of Torbutton, which is bundled with SecBrowser and enabled by default.
* Use of mobile devices like Android and iPhone.
* Corporate desktop machines which are clones of one another.
With JavaScript disabled, SecBrowser provides significant resistance to browser fingerprinting.<sup>[[13]](https://blog.torproject.org/effs-panopticlick-and-torbutton)</sup>
* The User Agent is uniform for all Torbutton users.
* Plugins are blocked.
* The screen resolution is rounded down to 50 pixel multiples.
* The timezone is set to GMT.
* DOM Storage is cleared and disabled.
The EFF's [Panoptickick](https://panopticlick.eff.org/) fingerprint test shows that SecBrowser resists fingerprinting.
_Note:_ Because tracking techniques are complex, Panopticlick does not measure all forms of tracking and protection.
* SecBrowser conveys 6.26 bits of identifying information.
* One in 76.46 browsers having the same fingerprint.
* Browser's that convey lower bits of identification are better at resisting fingerprinting.<sup>[[14]](https://33bits.wordpress.com/about/)</sup>
When Tor Browser's and SecBrowser's HTTP headers are compared using [Fingerprint central](https://fpcentral.irisa.fr/) the test results are near identical.
**Table:** _Tor Browser vs SecBrowser HTTP Headers Comparison_
_Percentage (%) out of 1652 with fingerprints tags [Firefox,Windows]:_
| Name | Value | Tor Browser | SecBrowser |
|---------------------------|-------------------------------------------------------------------|:-------------:|:-------------:|
| | | % | % |
| User-Agent | Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0 | 2.48 | 2.42 |
| Accept | text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | 97.15 | 97.15 |
| Host | fpcentral.irisa.fr | 90.44 | 90.43 |
| Content-Length | | 100.00 | 100.00 |
| Accepted-Language | en-US,en;q=0.5 | 32.63 | 32.95 |
| Referer | https://fpcentral.irisa.fr/ | 69.37 | 69.35 |
| Upgrade-Insecure-Requests | 1 | 83.05 | 83.04 |
| Accepting-Encoding | gzip, deflate, br | 82.14 | 82.13 |
| Content-Type | | 100.00 | 100.00 |
| Connection | close | 100.00 | 100.00 |
Install SecBrowser
------------------
SecBrowser can be installed using `tb-updater` which is a package developed and maintained by Whonix developers. When run, `tb-updater` seamlessly automates the download and verification of SecBrowser (from The Tor Project's website). One of the many benefits of `tb-updater` is the ability to disable Tor is prebuilt into the software. This improves usability and is convenient since a security-focused browser (SecBrowser), is readily available. Unlike other manual methods of disabling Tor, this greatly simplifies the procedure and lessens the chance of a configuration error. To install SecBrowser in Qubes, users can follow the detailed instructions found on the designated [SecBrowser Wiki](https://www.whonix.org/wiki/SecBrowser_™_in_Qubes_OS) .
Conclusion
----------
SecBrowser is a highly configurable security-focused browser that affords users with numerous options to fine tune their browser's security and usability. This can be achieved through user preferences (`user_pref`) or on the fly by means of an easy to use and intuitive security slider. This allows for seemless changes in security posture to meet changes in dynamic environments. SecBrowser's fingerprinting resistance provides strong protection against web tracking and can be combined with a VPN to further enhance privacy. SecBrowser can be used with any Debian 10 (buster) based operating system including [SecOS](https://forums.whonix.org/t/hardened-debian-security-focused-linux-distribution-based-on-debian-in-development-feedback-wanted/5943) (a Hardened Debian based OS) which is in active development and coming soon.
This content has moved to [Qubes Forum: Community Guides](https://forum.qubes-os.org/c/guides/14). [Learn more.](https://forum.qubes-os.org/t/announcement-qubes-community-project-has-been-migrated-to-the-forum/20367/)

43
docs/customization/tailscale.md
View file

@ -1,42 +1 @@
How to Enable Tailscale in AppVM
==================================
<b>Note:</b> If you seek to enhance your privacy, you may also wish to consider a <a href="/doc/configuration/vpn.md">VPN proxy Qube</a>.
<a href="https://tailscale.com/">Tailscale</a> is a mesh private network that lets you easily manage access to private resources, quickly SSH into devices on your network, and work securely from anywhere in the world. If you have devices in your private home network or at work at which you cannot use a VPN, Tailscale is a simple alternative with minimal setup.
### Template VM
In a `t-tailscale` template VM, install tailscale with the simple sh script, then stop the service:
```
-curl -fsSL https://tailscale.com/install.sh | sh
systemctl stop tailscaled
```
### AppVM
In your `tailscale` AppVM, use your favorite editor to sudo edit '/rw/config/rc.local', adding the following lines at the bottom of the file:
```
sudo systemctl start tailscaled
sudo tailscale up
```
Now make sure folder /rw/config/qubes-bind-dirs.d exists.
```
sudo mkdir -p /rw/config/qubes-bind-dirs.d
```
Create a file /rw/config/qubes-bind-dirs.d/50_user.conf with root rights. Edit the file 50_user.conf to append a folder or file name to the binds variable.
```
binds+=( '/var/lib/tailscale' )
```
Save.
Reboot the app qube.
Done.
From now on any files within the /var/lib/tailscale folder will persist across reboots. Shutdown and reboot the VM. Enter a console and run `sudo tailscale up` again to get the Tailscale tunnel link to your VM.
This content has moved to [Qubes Forum: Community Guides](https://forum.qubes-os.org/c/guides/14). [Learn more.](https://forum.qubes-os.org/t/announcement-qubes-community-project-has-been-migrated-to-the-forum/20367/)

30
docs/customization/terminal-defaults.md
View file

@ -1,29 +1 @@
# Setting default terminal settings for a TemplateVM
When you create a VM based on a TemplateVM, the `gnome-terminal` settings (font, color) are not inherited by default. This document describes how to set terminal defaults for all VMs *subsequently* created off a TemplateVM.
(Previously-created VMs are unaffected.)
This document only applies to `gnome-terminal` (the standard terminal)
and not XTerm, etc.
Thanks to `unman` on qubes-users for explaining how to do this.
## Define your defaults
In dom0:
`qvm-run MYTEMPLATE gnome-terminal`
In the terminal that pops up, adjust settings to your liking.
## Save settings template-wide
In the templateVM's terminal:
```
sudo mkdir -p /etc/skel/.config/dconf
sudo cp ~/.config/dconf/user /etc/skel/.config/dconf/
sudo reboot
```
Subsequently-created VMs should now use the chosen settings by default.
This content has moved to [Qubes Forum: Community Guides](https://forum.qubes-os.org/c/guides/14). [Learn more.](https://forum.qubes-os.org/t/announcement-qubes-community-project-has-been-migrated-to-the-forum/20367/)

163
docs/customization/windows-template-customization.md
View file

@ -1,162 +1 @@
Disable/Uninstall unnecessary features/services
=============================
Windows features
----------------------------
Uninstall windows features from Control Panel > Turn windows features On/Off.
Generally, it will be required to reboot after features are uninstalled.
If you do not manage to uninstall some features, it is sometimes necessary to uninstall them one by one or two by two.
Only keep:
* Print and Document Service => Internet Printing Client
* Print and Document Service => Windows Fax and Scan (apparently it cannot be uninstalled)
* Windows search
*Note*: Windows search is recommended because it is a nightmare to find something in menus if it is not enabled (it removes the search bar from the start menu, from the explorer, and from the control panel).
*Note*: Unselecting windows media, .Net and Internet Explorer will uninstall these components. On a new install they are generally old versions anyway and it will be quicker to install directly the new versions later.
Windows services
---------------------------
Disable the following services that are not required or have no sense in a VM context:
* Base Filtering Engine (only required if you want to use Microsoft IPSEC)
* DHCP Client
* Function Discovery Provider Host
this will not work anyway because SSDP discovery uses multicast - need to be on the same network which is not the case because of Qubes firewall
* Peer Name Resolution Protocol
* Peer Netwoking Grouping
* Peer Networking Identity Manager
* SSDP Discovery
* Security Center (is it only notifications ?)
* TCP/IP Netbios Help (is Netbios still really used by Windows ? Maybe for discovery only ?)
* Themes (if you don't care about theme)
* Volume Shadow Copy (see next note in the performance section)
* Windows defender
* Windows Firewall
*Notes*: IP Helper is required as it is used by Qubes Agent to configure the IP address.
Windows update
--------------------------
I recommend disabling windows update (Never Check for Update) because checking for updates will start every time you start an AppVM if you haven't started your template in a while.
Running windows update is also apparently IO hungry.
Of course I recommend starting the template regularly and checking manually for updates.
System properties
---------------------------
Right click on computer and go to Properties > Advanced > Performance:
* If you don't care about visual effect, in Visual Effect select "Adjust for best performance"
* I personally tweak the page file size to gain some space on my root.
In Advanced>Performances>Advanced tab, change Virtual memory:
1. unselect automatically manage paging file size for all drive
2. click on drive C:
3. select no paging file
4. click on set
5. click on drive d:
6. select customer size
7. use an initial size of 500 and a max size of 1000. If the page file is too small, you will notice a low memory pop up when working on windows. In this case, it often means that you should extend your AppVM RAM.
* System Protection
Here you can disable Shadow Folder because it has little sense in the case of Qubes because
* we do regular backups of AppVMs/TemplateVMs;
* we can revert at least one template change if we break something.
Select drives where system protection is enabled and click Configure. "Turn off system protection" "Delete all restore points"
* Remote
Unselect Allow Remote Assistance connections to this computer.
Task scheduler
-----------------------
Open the task scheduler and *disable* the following tasks.
If you remove these tasks they may be recreated automatically by various windows management tools (such as defragmentation)
* Autochk: All
* Application Experience: All
* Customer Experience Improvement Program: All
* Defrag: All
* DiskDiagnosis: All (the disk is virtual anyway so S.M.A.R.T. has no sense)
* Maintenance: All
* SystemRestore: All
* WindowsBackup: All
Power options
-------------
First, enable the "Power" Windows service. Then, set all of the following:
* Put the computer to sleep: `Never`
* Turn the display off: `Never`
* Turn off hard disk after: Setting (Minutes): `0`
Turn off hibernation. Open a command prompt (`cmd.exe`) as an administrator,
then execute:
powercfg -h off
The hibernation file (`C:\hyberfil.sys`) should now be deleted.
Manual tasks that can/should be started in the template
-------------------------------------------------------
* Disk defragmentation
* Windows Update
* Windows file cleaning
1. Run windows drive cleaner as Administrator.
2. Enable all the task and run the cleaner
* CCleaner file cleaning
1. Install CCleaner free
2. Copy the attached ccleaner configuration file in CCleaner program file folder
3. Run ccleaner with all option set except "wipe free space" (it will also remove user history and preferences)
4. Run ccleaner only with the option "wipe free space".
It will write zeros in all unused space. This will allow you to strip the root.img file later
* TemplateVM stripping
Ensure that you know what you are doing in this section as you may destroy by error your template root.img file.
* If you ran ccleaner with "wipe free space", follow the following procedure
1. from dom0, go to /var/lib/templates-vm/yourtemplate
2. copy root.img using the following command
> cp --sparse=always root.img root.img.clean
3. if the copy worked, you can move the new root file by running this command
> mv root.img.clean root.img
* If it doesn't manage to fill the free space with zeros, you can follow the following *unsafe* undocumented procedure
1. from dom0, go to /var/lib/templates-vm/yourtemplate
2. check the partitioning to identify the filesystem offset of root.img
3. mount the filesystem
4. create a file with zeros inside the filesystem until the mounted filesystem is full
5. remove the file
6. unmount the partition
7. make a copy of root.img in sparse mode.
This content has moved to [Qubes Forum: Community Guides](https://forum.qubes-os.org/c/guides/14). [Learn more.](https://forum.qubes-os.org/t/announcement-qubes-community-project-has-been-migrated-to-the-forum/20367/)