Simple qube set-up in Qubes

There's a long standing issue that Qubes users face: installing software and setting up new qubes. New users in particular find this difficult to deal with.
Look at the repeated posts in the Forum about how to set up a VPN. It's probably one of the major problems that new users have, besides learning to install and configure software in templates, so that they can use it a qube. Again, look at the repeated "I installed X in my qube, and it disappeared when I restarted" posts. Many of the guides that are produced involve users copying shell scripts into dom0 or templates and running them.

We've been using simple salt formulas to help users with software installation and setup for some time. There's a long standing issue in GitHub about how to handle such formulas. I think we should distribute them as signed packages, with scripts to implement the states when the package is installed. Users don't need to understand salt, or any of the complexity of working in Qubes.

What does this mean in practice?
Instead of a user finding a guide online, wondering whether to create a new template or qubes, copying code or scripts in to dom0 or a template, and running them, they just install a package.

Here's an example:
Let's say a user wants to set up a caching proxy, perhaps following my notes here
They clone a template, install software in to the template, (remembering to mask the service in the template), create a qube, configure the qube, configure bind-dirs in the new qube, set up a new policy in dom0, and then change the repo definitions in all the templates so that the proxy can handle TLS requests.
Instead they install the 3isec-qubes-cacher package, and it's done for them. A new caching proxy is created and the system reconfigured to use it.

Trying it out

To test the water, we are making available a test repository, and a simple tool to access it.
The repository definition is:

[3isec-dom0-current]
name = 3isec Qubes Dom0 Repository (updates)
baseurl = https://qubes.3isec.org/rpm/r$releasever/current/dom0/fc37
skip_if_unavailable=False
enabled = 1
metadata_expire = 6h
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-unman

(For 4.1, change the baseurl line to specify fc32 instead of fc37.)
Create a file in dom0 with this content at /etc/yum.repos.d/3isec-dom0.repo

All packages are signed with my Qubes OS Signing key.
You'll need to get this from a keyserver, or two, to make sure all is fine:
keyserver.ubuntu.com or pgp.mit.edu

You can also check the Qubes users mailing list or look on github.

Once you have copies of the key, check the fingerprint:

gpg -n --import --import-options import-show unman.pub

replacing unman.pub with the path to the key.
The output should look similar to this:

pub   rsa4096 2016-06-25 [SC]
      4B1F 400D F256 51B5 3C41  41B3 8B3F 30F9 C8C0 C2EF
uid           [ unknown] unman (Qubes OS signing key) 
sub   rsa4096 2016-06-27 [S] [expires: 2024-06-30]
sub   rsa4096 2016-06-25 [E]

In particular, check that the output from your command contains the fingerprint 4B1F 400D F256 51B5 3C41 41B3 8B3F 30F9 C8C0 C2EF

When you are happy, copy the key in to dom0.
In dom0:

qvm-run -p QUBE_WHERE_YOU_DOWNLOADED_KEY 'cat PATH_TO_KEY' > RPM-GPG-KEY-unman
sudo mv RPM-GPG-KEY-unman /etc/pki/rpm-gpg/

Add the key to the rpm keyring:

sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-unman

Installing the tool

Once you have set up the repository you can then install the tool:

sudo qubes-dom0-update 3isec-qubes-task-manager

Installing the tool or other packages manually

You can also download the packages here.
In summary: Download the package you want, check the signature, transfer it to dom0, and install in dom0.

In detail:
Let's say you have downloaded the package to Downloads in disp999. Download my pgp key also. Check the pgp key is valid, as above.

Import the pgp key into gpg and the rpm database:

gpg --import DOWNLOADED_KEY
rpm --import DOWNLOADED_KEY

Open a terminal window in disp999, and check the signature:

cd Downloads
rpm -qi PACKAGE_NAME

On the Signature line you should see Key ID fdd1b8244731b36c. This is the signing sub key of my Qubes OS signing key - you can confirm this with:

gpg --edit-key unman

You can also check the validity of the package:

rpm -K PACKAGE_NAME

You should see "SIGNATURES: OK"

To copy the file to dom0, open a terminal window in dom0 and run:

qvm-run -p disp999 'cat PATH_TO_PACKAGE' > PACKAGE_NAME

Then install the package:

sudo dnf install ./PACKAGE_NAME

It's much simpler to add the repository as set out above, and to use the tool.

Running the tool

To run, open a terminal in dom0. There's a command line tool, qubes-task, and a primitive GUI, qubes-task-gui.
Use should be obvious.

Available packages

Among the available packages are the following:

split-gpg

Sets up split-gpg

sys-ssh-agent

This provides a form of split-ssh, where you can store ssh keys in sys-ssh-agent, and use them from other qubes. It's ideal where you have a number of keys and you want differnet qubes to be able to access differnet combinations of keys. You can configure different ssh-agents and allocate keys to them, and then control access to those agents using a standard qrexec policy.

cacher

Creates a caching proxy, working out the box to cache Debian, Fedora, Arch and Ubuntu packages.
Templates are automaticlaly configured to use the proxy, and repo definitions altered to allow for access to https repositories.

mullvad-vpn

Thanks to the folk at Mullvad VPN this creates a qube ready for use with varieties of Mullvad VPN.
The package installs a Mullvad Proxy with the Mullvad GUI to make it easy to set up the VPN. It also creates a disposable template, so you can run disposables which have the Mullvad GUI and Mullvad browser pre-installed. You can use the Mullvad browser without using a Mullvad VPN - it's been developed with the Tor Browser team, to provide secure browsing out of the box.

proton-vpn

This creates a qube ready for use with varieties of Proton VPN.

sys-vpn

This creates a standard openvpn gateway, with a script to help with setup. Based on the classic

pihole

Creates a pihole standalone as a drop in replacement for sys-firewall. Pihole aims to block ads and trackers.

sys-multimedia

Creates a "media" qube for storage of media files, and a disposable called "multimedia". The "media" qube is configured so that opening a file will launch multimedia, and play the file in the right app. By default multimedia is offline. This means that you can (fairly) safely work with content from untrusted sources. You can also edit files in the multimedia qube, using qvm-open-in-dvm as normal. The multimedia qube will automatically close when not in use.

mutt

This creates a mutt qube, with offline imap, notmuch, ssh, rsync, installed and configured. A set up script is included to help users with basic mutt configuration.

reader

This package provides a template configured with a range of useful software of particular help to terminal users.

More detailed information about these packages can be seen in the qubes-task tools.
We'll be adding more packages soon.

All these packages use new templates, based off debian-11-minimal. The source code is on GitHub - qubes-task, and in the shaker.

unman