Simple qube set-up in Qubes

There's a long standing issue that Qubes users face: insta software and setting up new qubes. New users in particular find this difficult to deal with.
Look at the repeated posts in the Forum about how to set up a VPN. It's probably one of the major problems that new users have, besides learning to install and configure software in templates, so that they can use it a qube. Again, look at the repeated "I installed X in my qube, and it disappeared when I restarted" posts. Many of the guides that are produced involve users copying shell scripts into dom0 or templates and running them.

We've been using simple salt formulas to help users with software installation and setup for some time. There's a long standing issue in GitHub about how to handle such formulas. I think we should distribute them as signed packages, with scripts to implement the states when the package is installed. Users don't need to understand salt, or any of the complexity of working in Qubes.

What does this mean in practice?
Instead of a user finding a guide online, wondering whether to create a new template or qubes, copying code or scripts in to dom0 or a template, and running them, they just install a package.

Here's an example:
Let's say a user wants to set up a caching proxy, perhaps following my notes here
They clone a template, install software in to the template, (remembering to mask the service in the template), create a qube, configure the qube, configure bind-dirs in the new qube, set up a new policy in dom0, and then change the repo definitions in all the templates so that the proxy can handle TLS requests.
Instead they install the 3isec-qubes-cacher package, and it's done for them. A new caching proxy is created and the system reconfigured to use it.

Trying it out

To test the water, we are making available a test repository, and a simple tool to access it.
The repository definition is:
name = 3isec Qubes Dom0 Repository (updates)
baseurl =$releasever/current/dom0/fc32
enabled = 1
metadata_expire = 6h
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-unman
Create a file in dom0 with this content at /etc/yum.repos.d/3isec-dom0.repo

All packages are signed with my Qubes OS Signing key.
You'll need to get this from a keyserver, or two, to make sure all is fine: or

You can also check the Qubes users mailing list or look on github.

Once you have copies of the key, check the fingerprint:

gpg -n --import --import-options import-show
replacing with the path to the key.
The output should look similar to this:
pub   rsa4096 2016-06-25 [SC]
      4B1F 400D F256 51B5 3C41  41B3 8B3F 30F9 C8C0 C2EF
uid           [ unknown] unman (Qubes OS signing key) 
sub   rsa4096 2016-06-27 [S] [expires: 2024-06-30]
sub   rsa4096 2016-06-25 [E]
In particular, check that the output from your command contains the fingerprint 4B1F 400D F256 51B5 3C41 41B3 8B3F 30F9 C8C0 C2EF

When you are happy, copy the key in to dom0:

sudo mv RPM-GPG-KEY-unman /etc/pki/rpm-gpg/

Add the key to the rpm keyring:

sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-unman 

Installing the tool

You can download a package with a basic tool here.
Download that package, check the signature, transfer it to dom0, and install in dom0.
Let's say you have downloaded that package to Downloads in disp999.
Open a terminal window in disp999, and check the signature:
cd Downloads
rpm -qi 3isec-qubes-task-manager-0.1-1.x86_64.rpm
On the Signature line you should see Key ID fdd1b8244731b36c. This is the signing sub key of my Qubes OS signing key - you can confirm this with
gpg --edit-key unman

To copy the file to dom0, open a terminal window in dom0 and run:

qvm-run -p disp999 'cat Downloads/3isec-qubes-task-manager-0.1-1.x86_64.rpm' > 3isec-qubes-task-manager-0.1-1.x86_64.rpm
Then install the package:
sudo dnf install ./3isec-qubes-task-manager-0.1-1.x86_64.rpm

Running the tool

To run, open a terminal in dom0. There's a command line tool, qubes-task, and a primitive GUI, qubes-task-gui.
Use should be obvious.

Available packages

At the moment we have the following:


Sets up split-gpg


This provides a form of split-ssh, where you can store ssh keys in sys-ssh-agent, and use them from other qubes. It's ideal where you have a number of keys and you want differnet qubes to be able to access differnet combinations of keys. You can configure differnet ssh-agents and allocate keys to them, and the control access to those agents using a standard qrexec policy.


Creates a caching proxy, working out the box to cache Debian, Fedora, Arch and Ubuntu packages.
Templates are automaticlaly configured to use the proxy, and repo definitions altered to allow for access to https repositories.


Thanks to the folk at Mullvad VPN this creates a qube ready for use with wireguard.
A set up program is added to the Qubes Menu to help configuration. All the user has to do is install the package, copy the wireguard configuration file (or zipped files) to the MullvadVPN qube, and run "Setup Mullvad VPN" from the Qubes menu.


This creates a standard openvpn gateway, with a script to help with setup. Based on the classic


Creates a pihole standalone as a drop in replacement for sys-firewall.


Creates a "media" qube for storage of media files, and a disposable called "multimedia". The "media" qube is configured so that opening a file will launch multimedia, and play the file in the right app. By default multimedia is offline. This means that you can (fairly) safely work with content from untrusted sources. You can also edit files in the multimedia qube, using qvm-open-in-dvm as normal. The multimedia qube will automatically close when not in use.


This creates a mutt qube, with offline imap, notmuch,ssh,rsync, installed and configured. A set up script is included to help users with configuration.

More detailed information about these packages can be seen in the qubes-task tools.
We'll be adding more packages soon.

All these packages use new templates, based off debian-11-minimal. The source code is on GitHub - qubes-task, and in the shaker.