Posts

Table of Contents

Website update

I’ve changed a few things about the website:

The blog posts have been consolidated into a single org document. I like the feeling of having one large waterfall of writing, with a level-one table of contents to navigate the posts.

I’ve figured out how to create an RSS feed using ox-rss, which makes it easy to generate an xml feed from the newly-consolidated feed.org document. You can now follow my feed from any RSS reader!

https://git.skylarcloud.xyz now has a repo with the org and html files used for this site.

Convenient torrenting with qBittorrent

Introduction

Your access to media should not be limited by money, nor should it be limited by technical ability. I want to demonstrate with this quick guide that torrenting is as accessible and easy as it’s ever been, using Free and open-source software.

Install qBittorrent

qBittorrent is a Free and open-source BitTorrent client that supports tons of features, but you need to know much at all to get started. To install it, go to their downloads page website at https://www.qbittorrent.org/download and select the right option for your computer. It supports Windows, MacOS, and can be installed through most common package managers on Linux.

After it’s downloaded, install it like you would with any other program.

Enable the search engine

To let us search for media, we need to turn on qBittorrent’s search engine.

  • Click the “View” button in the toolbar
  • Check the “Search Engine” box There should now be a “Search” tab next to “Transfers” under the toolbar
  • Click the “Search” tab
  • Click “Search Plugins” at the bottom right
  • Click “Check for updates”
  • Click “Ok” and “Close” to exit the search plugins menu

Search for and download some media

  • In the “Search” tab, click on the search bar, enter the name of some movie, and press Return. Very quickly, you should see many results, with slightly different titles, sizes, and numbers of “Seeders”, among other things.

“Seeders” refers to the computers that are hosting the media you want. In general, you want to download files being seeded by lots of computers to get the fastest download speeds possible

  • Pick a result with a name indicating the media, resolution, and episodes/seasons you want. Double-click it
  • A download prompt will appear. It has lots of settings, but you can simply click “Ok” to download it normally.

Now just wait

You can track the progress of torrents being downloaded in the “Transfers” tab. When it’s 100% complete, you can right-click the file, and click “Preview file” to have it play in your default media player.

If you’re feeling charitable, you can leave qBittorrent running in the background to seed the files for other users. It’ll help keep the media accessible for everyone, and improve download speeds for others. Using a VPN is recommended if you plan on leaving the client running for long periods of time.

Extra tips

Consider using a VPN

Some copyright holders use bots to detects users downloading their media. If you’re not using a VPN, these companies can see your IP and potentially send complaints to your ISP. If you download many things and want to keep your ISP happy, using a VPN will ensure your torrenting can’t be traced to your IP address. I personally use and recommend Mullvad ($5/month for 5 devices), but there are other reputable ones like Proton and IVPN.

Stream Media

When you go to download a torrent and the download prompt pops up, you can optionally select “Download first and last pieces first” and “Download in sequential order”.

This will likely make the total download take longer, but by downloading it in order, you can stream it in real time. Wait until about 5% of the download is complete, then you can watch it while the rest downloads live in the background.

Hosting a media server with Jellyfin

Jellyfin is a Free and open-source media-hosting server you can run on your computer. It’ll let you sign in to your library on a smart TV, other devices on your local network, or in a browser.

Setting it up is outside the scope of this post, but I highly recommend it. It basically just consists of downloading the server, configuring your libraries, installing the clients on your other devices, and logging in to your server.

https://jellyfin.org/

QubesOS Saltstack configuration v1

Notice:

The repository is now hosted on this site at https://git.skylarcloud.xyz, not Github! For up-to-date instructions, refer to the new README.org in the new repo, there have been lots of changes since the publishing of this post.

Intro

I’m publishing the janky V1 of my QubesOS configuration written with Saltstack. It’ll help set up a window manager, a couple of handy qubes, Doom Emacs, and the 3isec repo to jump-start your QubesOS experience.

It’s not new-user friendly yet, nor is it in a state where anyone can immediately download and apply it. At the very least you’ll need to change the references to my username to yours in the salt files, and make sure the Fedora-40-XFCE and the Debian-12-minimal template are installed on your system.

You can use my configuration almost as-is (just change the username references!) and it does work, but it’s not very feature-filled or optimized, and it’s probable that the next versions will conflict with it.

Installation

Make sure state.user-dirs is active, then just move the repo to /srv/user_salt/ in dom0, and apply with sudo qubesctl --all state.apply

Programs in dom0

My configuration will install a few programs in dom0. It’s important that I put this at the top because generally, you want to limit the number of packages in dom0. Every new package is more attack surface on your most critical qube. I trust the programs I’ve chosen to add, and by using my configuration, you’re implicitly trusting them too.

Look in /srv/user_salt/ to find the related salt files and see the installed programs.

Window Management

i3

i3 is a tiling window manager. It’s used primarily through the keyboard, so muscle memory can operate everything very quickly once you get used to it. When a window is opened, it will be ’tiled’, maximizing screen space. To open windows, rofi is used to search for applications and qubes.

  • Keybindings

    You can navigate i3 with ’vim-like’ keybindings, inspired by the vi text editor. Some basic keybindings are shown below, and you can see many more by reading i3’s config file at /srv/user_salt/dots/i3

    • S = Shift key
    • mod = Windows/Command key
    keybinding function
    mod + h/j/k/l move focus left/down/up/right
    mod + S + h/j/k/l move focused window left/down/up/right
    mod + d search/launch programs with rofi
    mod + S + d switch between windows with rofi
    mod + S + g window gap settings menu

Misc

wm.sls will do a few other smaller things:

  • Sets my default wallpaper
  • Sets xrandr default screenlayout, replace using ARandR
  • Creates X11 touchpad configuration for tap-to-click + natural scrolling
  • Sources default .bashrc config into /root/ and /home/skylar/ from /srv/user_salt/dots/.bashrc
  • Prioritize xfce4-terminal in /usr/bin/qubes-i3-sensible-terminal
  • Symlink rofi in place of dmenu

My qubes

Emacs

If you’re a Doom Emacs user (there are dozens of us!) this will hopefully make your life slightly easier.

A template and app qube for Emacs will be created, Doom Emacs will automatically be installed inside the app qube, and the contents of (in dom0) /srv/user_salt/dots/doom-emacs will be added to the Doom Emacs qube.

My personal configuration is in the repository and will be written be default, but it’s super simple to replace for your own (just find the directory mentioned above). I’ve done very little with my configuration, and use it basically as it comes out-of-the-box.

Torrenting

A template and app qube for qBittorrent will be created. The gruxbox theme that I use will be moved from dom0 to the app qube so it’s easy to apply.

qBittorrent is a torrent client that lets you search for and download large files, particularly media files. You can enable the built-in search utility by doing the following:

  1. Navigate to the “View” menu at the top of the window
  2. Enable the “Search Engine” option
  3. A new tab should show up slightly below called “Search”, click it
  4. In the new menu, click “Search plugins…” at the bottom
  5. Click “Check for updates”
  6. Once the search plugins are installed for a default list of trackers, you can close the window and search for media.
  • VPN use

    If you’re downloading copyrighted content in an area where it’s illegal, I would strongly urge you consider using a VPN to hide your IP address. LE is unlikely to bust down your door for watching Spongebob, but copyright holders can and will send letters to your ISP, which can eventually get your internet service shut off if you continue. Tor can be used, but it’s extremely slow, and hogs a lot of bandwidth on the network.

    Personally, I use Mullvad and don’t have any complaints. Proton and IVPN are reputable as well.

Personal/work email

A template for email will be created, and two app qubes, “email-personal” and “email-work”. These just have the Thunderbird email client installed so you can sign into your accounts.

3isec

The 3isec repo is a handy repository of salt files with some miscellaneous utilities. The repository will be added to dom0, their gpg key will be added from this salt repository, and their graphical interface for it will be installed in dom0. You can start it with ’qubes-task-gui’ in dom0.

I usually install common, mirage-firewall, monitor, mullvad-vpn, and sys-multimedia.

Post install

Almost everything will be done out of the box, but here are some recommended finishing touches:

  • Open Emacs in its app qube, run nerd-icons-install-fonts, and reload your Emacs configuration
  • Optionally replace config files with your own /srv/user_salt/
  • Optionally install any packages you’ll want with 3isec
  • Set the storage and networking settings of your qubes to your preference (by default everything will be routed through your default net-qube, probably sys-firewall)

What’s next?

This project will develop over time as I learn more about Saltstack and continue to work on my personal configuration. I have lots of plans:

  • Signal! I’m embarrassed to admit that I couldn’t figure out how to add the Signal repo/gpg-key to a template to install signal-desktop. It’s pretty easy to do imperatively, but it’ll be a no-brainer to automate once I know a little bit more about Saltstack.
  • Replace more templates with minimal ones to save on startup-time/space/updates
  • qmenu scrips with rofi to do more with the keyboard
  • Browser configuration. I like to set my browsers up in a similar way almost every time with a couple of favorite extensions and configuration. I want to implement this in Saltstack asap.
  • A handful of other simple qubes that I often end up creating over time
  • Write and implement bash and elisp scripts to improve various QubesOS/Emacs workflows
  • Generally improve at Saltstack to make the config more extendable/robust/optimized

Create an anonymous Whonix environment with KVM + NixOS

The why

I’ve spent significant time using QubesOS on various computers, and I’ve been thoroughly spoiled by the VM magic Zen and the Qubes team have enabled. For a few reasons though, I’ve recently switched my main laptop from running QubesOS to NixOS. NixOS is great: it’s declaratively managed, fast, stable, has tons of fresh packages, but I can’t help but feel like my trust in the system has decreased a little bit due to the lack of isolation via virtualization that QubesOS provides.

(3/1/2025 update: I’m using QubesOS again)

Luckily, while VMs are fantastic to use especially with QubesOS, it’s very much possible to get some of the benefits of QubesOS on a host Linux system like NixOS.

To demonstrate this, I’ll be going through a Whonix installation on NixOS using KVM, nix.configuration, and home-manager. I’ll talk a bit about the security trade-offs of using KVM over VirtualBox or on QubesOS, and how Whonix can be a useful tool for elevating your secure posture, protecting your host from malware and your activity from being deanonymized.

What’s Whonix?

Whonix is a 2-VM setup for compartmentalizing your computing, and uses the Tor Network to keep your activity anonymous. It runs on KickSecure (hardened Debian).

The Whonix “Gateway” VM creates, maintains, and makes available a ’Tor-ified’ network connection for the Workstation.

The Whonix “Workstation” VM is where you’ll do your actual computing. It comes with a graphical XFCE desktop with a suite of applications. You can use the build-in Tor Browser to browse anonymously, or use any of the other included applications and have all of it routed through Tor.

KVM vs VirtualBox

Whonix supports 2 type-2 hypervisors: KVM and VirtualBox. KVM is build into the Linux kernel, and is thus fully Free Software. VirtualBox is developed and maintained by Oracle, and is not Free software. I’ll be using KVM for these examples, but there’s a convenient guide for VirtualBox.

KVM vs QubesOS Zen

Hypervisor simplicity

KVM is part of the Linux kernel, meaning that the virtualization is being done by a larger, monolithic program than a type-1 hypervisor like Zen, with a larger attack surface.

Type-1 vs type-2 hypervisor

KVM runs on a host Linux system, and therefor the contents of the VM are only as secure as the host system. This is perhaps the biggest downside to running this KVM setup over Qubes in terms of security. I’d recommend delegating any risky activity to VMs like Whonix to try to mitigate the risk of malware running on your host system.

No sys-net/firewall/usb/audio/etc.

QubesOS uses VMs to compartmentalize the hardware, and running Whonix on a Linux host keeps those in the domain of the large Linux kernel.

Performance

Whonix on KVM performs about as well as on QubesOS (varying based on how much virtual CPU/memory you allocate of course), but a big benefit of having a Linux host is that the applications ran in it won’t be slowed down by virtualization. Risky activities can be compartmentalized while keeping the main system fast and convenient to use.

Relevant Whonix security documentation

The advantages QubesOS has over KVM listed above are just a few basic examples. QubesOS has a much more robust security model in many ways, and if your security is essential, you should understand the downsides:

Installing Whonix on KVM

Make sure to check the relevant NixOS and Whonix documentation to ensure these examples are up-to-date. Always be weary of executing commands from a random blog on the internet, and go to the source whenever possible.

Some of this setup (packages, user groups, dconf settings, the actual virtualization setup) is declaratively configured, but many of the commands to set up Whonix are not. On a fresh NixOS system build with your configuration.nix, you’ll still need to download the Whonix images and set them up with the commands outlined below. It’s possible more (or even all?) of this could be done declaratively with more NixOS knowledge.

Installing KVM + Virt-manager

Enable libvirtd and virt-manager 

  # /etc/nixos/configuration.nix
  virtualisation.libvirtd.enable = true;
  programs.virt-manager.enable = true;

Add user to the libvirtd group 

  # /etc/nixos/configuration.nix
  # Replace USER with your username
  # extraGroups will likely be populated, just add libvirtd to whatever's already there
  users.users.USER = {
    extraGroups = [ "libvirtd" ];
  };

Enable qemu connection by adding dconf settings through home-manager 

  # /etc/nixos/configuration.nix
  # Replace USER with your username
  home-manager.users.USER = { pkgs, ... }: {
    # Point virt-manager to qemu as a source for virtualization
    dconf.settings = {
      "org/virt-manager/virt-manager/connections" = {
        autoconnect = ["qemu:///system"];
        uris = ["qemu:///system"];
      };
    };
  };

Start qemu’s virtual networking, allowing VMs to communicate 

# Start qemu networking
sudo virsh -c qemu:///system net-autostart default
sudo virsh -c qemu:///system net-start default

Download the Whonix XFCE .qcow archive

  • You can the most up-to-date versions directly from their website:
    • https://www.whonix.org/wiki/KVM#Download_Whonix
    • You can optionally append ’.torrent’ to the direct download URL on their site to download the torrent file. This can be used in any BitTorrent client to download with faster speeds and without using as much of the project’s bandwidth. If you have a BitTorrent client I recommend this method.

Extract the archive

Make sure your working directory and archive are both in your home directory. (You may need to mv ~/Downloads/Whonix* ~/) 

# Unpacking archive with gnu tar
[~/]$ tar -xvf Whonix*.libvirt.xz

Agree to the Whonix Binary License Agreement

To read the agreement, use: 

# Prints the license agreement
[~/]$ more WHONIX_BINARY_LICENSE_AGREEMENT

Assuming you agree: 

# Creates an empty file "..._accepted" that tells Whonix you agree
[~/]$ touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted

Setup Whonix virtual networks

# Add virtual networks
sudo virsh -c qemu:///system net-define Whonix_external*.xml
sudo virsh -c qemu:///system net-define Whonix_internal*.xml

# Activate the networks
sudo virsh -c qemu:///system net-autostart Whonix-External
sudo virsh -c qemu:///system net-start Whonix-External
sudo virsh -c qemu:///system net-autostart Whonix-Internal
sudo virsh -c qemu:///system net-start Whonix-Internal

Import Whonix Gateway and Workstation images

# Creates two qemu profiles for the Whonix VMs
sudo virsh -c qemu:///system define Whonix-Gateway*.xml
sudo virsh -c qemu:///system define Whonix-Workstation*.xml

Image File Installation

# Assigns those qemu VMs to the Whonix .qcow2 images
[~/]$ sudo mv Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2
[~/]$ sudo mv Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2

Remove Whonix home clutter

# WARNING: running this command will delete every file that starts with "Whonix" or "WHONIX" in your working directory.
[~/]$ rm Whonix*
[~/]$ rm -r WHONIX*

Post-installation

Use the virt-manager application to start Whonix-Gateway, and open its terminal. We’ll use setup-dist to create your Tor connection and otherwise prepare Whonix for use. 

# Whonix Gateway VM
[gateway user ~]% sudo setup-dist

Upgrade the system to pull the latest packages: 

# Whonix Gateway VM
[gateway user ~]% sudo apt-get dist-upgrade

Start the Whonix Workstation, and repeat the upgrade step: 

# Whonix Workstation VM
[workstation user ~]% sudo apt-get dist-upgrade

Using Whonix

Assuming the VMs are booting properly and can receive updates, you should be good to go! You now have a compartmentalized environment where your traffic will be anonymized, and any malware should generally be contained to the VM (sophisticated enough malware could theoretically jump the KVM hypervisor, but if that’s part of your threat model you probably shouldn’t be getting security advice from this blog :P)

Some tips

  • Basic applications
    • Tor Browser: Fingerprinting-resistant browser made for anonymous internet use
    • VLC: Video player capable of playing almost media file you throw at it
    • KeePassXC: Offline password manager
    • GPA (Gnu privacy assistant): Graphical manager GPG/crypto functions
    • Electrum: Bitcoin wallet
    • Thunderbird: Mozilla email/calendar/RSS client
    • and more!
  • Staying secure and anonymous

    Think before you act! Whonix gives you a good platform for staying anonymous, but you can absolutely de-anonymize yourself if you’re not careful.

    • If you’re signing into a service over Tor, understand that the service can tie your actions to your current Tor identity. You can’t sign into your personal Facebook over Tor and expect that Facebook won’t know exactly who you are.
    • If you’re talking in some IRC channel, be skeptical about sharing information about yourself.
    • If you’re using Electrum wallet to manage Bitcoin, understand the privacy implications of Bitcoin and where you’re sending/receiving from.
    • Installing extra extensions in the Tor Browser can affect your footprint and make you stand out from other Whonix users
    • etc, etc, etc

    There are an uncountable number of ways you could de-anonymize yourself, so stay vigilant. Understand the technology you’re using, the information you’re putting out, and put yourself in the perspective of an adversary trying to de-anonymize you.

    • Use a live system when possible

      When you’re booting the Workstation VM, you can select the option to run it ’live’. This means that when you shutdown the VM, everything you did during the session is erased.

      This can be useful, if say, you’re vising a sketchy site and end up installing malware. Just reboot the VM and you’re back to a clean state.

      Ideally, you should only use Whonix persistantly for updating and installing packages from the Whonix repositories. You may want to also use a persistant session for setting up credentials in your KeePassXC database or setup GPG keys, but keep as much sporatic browsing as possible in the live mode.

    • Optionally disable Javascript in Tor Browser

      Javascript adds a massive attack surface to your browser, and disabling it can remove entire categories of browser-based malware. But, many many sites rely on Javascript for basic functionality.

      Personally, I keep Javascript on because I trust KVM to contain malware relatively well, and I only use the Tor Browser in live mode so any potential malware will be wiped on reboot.

      If you care about further hardening the setup, and are willing to break many websites, Javascript can easily be disabled by setting the Tor Browser security level to the highest option.

Created: 2025-03-01 Sat 12:30