My feed

Here’s /srv/user_salt/pkgs/accounting.sls as an example. It uses the simplest way of installing programs, which is just listing them under pkg.installed which pulls them from your distros main repositories. This is the most preferable way to install software if it’s available.

# Install accounting tools
accounting--install-apps:
  pkg.installed:
    - pkgs:
      - hledger # Command-line plain text accounting
      - gnucash # Graphical GNU accounting suite

Here’s /srv/user_salt/pkgs/st.sls as an example. It takes a binary file that’s part of this salt repository, and moves it into the ~/usr/bin/ directory in a qube.

# Installs my build of st terminal
/usr/bin/st:
  file.managed:
    - source: salt://pkgs/bin/st.bin
    - user: root
    - group: root
    - mode: 777

Here’s /srv/user_salt/pkgs/signal.sls as an example. It starts by installing some dependencies using the most common pkg.installed method, then moves an install script /srv/user_salt/pkgs/install-scripts/signal-repo.sh into a qube and executes it to install the Signal messenger.

...

signal--repo-script:
  file.managed: # file.managed lets you place files from your salt repo into qubes
    - name: /usr/bin/install-repo # this is where the installation script is placed
    - source: salt://pkgs/install-scripts/signal-repo.sh # This is where the installation script was sourced
    - user: root # sets the owner of the file, you can usually default to root
    - group: root # sets the group of the file, you can usually default to root
    - mode: 777 # sets the permissions of the file, you can usually default to 777 (any user on the qube has permissions)

# This simply executes the install-repo script in a qube
'install-repo':
  cmd.run

Here’s the installation script that’s ran:

Your access to media should not be limited by money, nor should it be limited by technical ability. I want to demonstrate with this quick guide that torrenting is as accessible and easy as it’s ever been, using Free and open-source software.

qBittorrent is a Free and open-source BitTorrent client that supports tons of features, but you need to know much at all to get started. To install it, go to their downloads page website at https://www.qbittorrent.org/download and select the right option for your computer. It supports Windows, MacOS, and can be installed through most common package managers on Linux.

After it’s downloaded, install it like you would with any other program.

To let us search for media, we need to turn on qBittorrent’s search engine.

• Click the “View” button in the toolbar
• Check the “Search Engine” box There should now be a “Search” tab next to “Transfers” under the toolbar
• Click the “Search” tab
• Click “Search Plugins” at the bottom right
• Click “Check for updates”
• Click “Ok” and “Close” to exit the search plugins menu

• In the “Search” tab, click on the search bar, enter the name of some movie, and press Return. Very quickly, you should see many results, with slightly different titles, sizes, and numbers of “Seeders”, among other things.

“Seeders” refers to the computers that are hosting the media you want. In general, you want to download files being seeded by lots of computers to get the fastest download speeds possible

• Pick a result with a name indicating the media, resolution, and episodes/seasons you want. Double-click it
• A download prompt will appear. It has lots of settings, but you can simply click “Ok” to download it normally.

You can track the progress of torrents being downloaded in the “Transfers” tab. When it’s 100% complete, you can right-click the file, and click “Preview file” to have it play in your default media player.

If you’re feeling charitable, you can leave qBittorrent running in the background to seed the files for other users. It’ll help keep the media accessible for everyone, and improve download speeds for others. Using a VPN is recommended if you plan on leaving the client running for long periods of time.

The repository is now hosted on this site at https://git.skylarcloud.xyz, not Github! For up-to-date instructions, refer to the new README.org in the new repo, there have been lots of changes since the publishing of this post.

I’m publishing the janky V1 of my QubesOS configuration written with Saltstack. It’ll help set up a window manager, a couple of handy qubes, Doom Emacs, and the 3isec repo to jump-start your QubesOS experience.

It’s not new-user friendly yet, nor is it in a state where anyone can immediately download and apply it. At the very least you’ll need to change the references to my username to yours in the salt files, and make sure the Fedora-40-XFCE and the Debian-12-minimal template are installed on your system.

You can use my configuration almost as-is (just change the username references!) and it does work, but it’s not very feature-filled or optimized, and it’s probable that the next versions will conflict with it.

My configuration will install a few programs in dom0. It’s important that I put this at the top because generally, you want to limit the number of packages in dom0. Every new package is more attack surface on your most critical qube. I trust the programs I’ve chosen to add, and by using my configuration, you’re implicitly trusting them too.

Look in /srv/user_salt/ to find the related salt files and see the installed programs.

The 3isec repo is a handy repository of salt files with some miscellaneous utilities. The repository will be added to dom0, their gpg key will be added from this salt repository, and their graphical interface for it will be installed in dom0. You can start it with ’qubes-task-gui’ in dom0.

I usually install common, mirage-firewall, monitor, mullvad-vpn, and sys-multimedia.

Almost everything will be done out of the box, but here are some recommended finishing touches:

• Open Emacs in its app qube, run nerd-icons-install-fonts, and reload your Emacs configuration
• Optionally replace config files with your own /srv/user_salt/
• Optionally install any packages you’ll want with 3isec
• Set the storage and networking settings of your qubes to your preference (by default everything will be routed through your default net-qube, probably sys-firewall)

This project will develop over time as I learn more about Saltstack and continue to work on my personal configuration. I have lots of plans:

• Signal! I’m embarrassed to admit that I couldn’t figure out how to add the Signal repo/gpg-key to a template to install signal-desktop. It’s pretty easy to do imperatively, but it’ll be a no-brainer to automate once I know a little bit more about Saltstack.
• Replace more templates with minimal ones to save on startup-time/space/updates
• qmenu scrips with rofi to do more with the keyboard
• Browser configuration. I like to set my browsers up in a similar way almost every time with a couple of favorite extensions and configuration. I want to implement this in Saltstack asap.
• A handful of other simple qubes that I often end up creating over time
• Write and implement bash and elisp scripts to improve various QubesOS/Emacs workflows
• Generally improve at Saltstack to make the config more extendable/robust/optimized

I’ve spent significant time using QubesOS on various computers, and I’ve been thoroughly spoiled by the VM magic Zen and the Qubes team have enabled. For a few reasons though, I’ve recently switched my main laptop from running QubesOS to NixOS. NixOS is great: it’s declaratively managed, fast, stable, has tons of fresh packages, but I can’t help but feel like my trust in the system has decreased a little bit due to the lack of isolation via virtualization that QubesOS provides.

(3/1/2025 update: I’m using QubesOS again)

Luckily, while VMs are fantastic to use especially with QubesOS, it’s very much possible to get some of the benefits of QubesOS on a host Linux system like NixOS.

To demonstrate this, I’ll be going through a Whonix installation on NixOS using KVM, nix.configuration, and home-manager. I’ll talk a bit about the security trade-offs of using KVM over VirtualBox or on QubesOS, and how Whonix can be a useful tool for elevating your secure posture, protecting your host from malware and your activity from being deanonymized.

Whonix is a 2-VM setup for compartmentalizing your computing, and uses the Tor Network to keep your activity anonymous. It runs on KickSecure (hardened Debian).

The Whonix “Gateway” VM creates, maintains, and makes available a ’Tor-ified’ network connection for the Workstation.

The Whonix “Workstation” VM is where you’ll do your actual computing. It comes with a graphical XFCE desktop with a suite of applications. You can use the build-in Tor Browser to browse anonymously, or use any of the other included applications and have all of it routed through Tor.

Whonix supports 2 type-2 hypervisors: KVM and VirtualBox. KVM is build into the Linux kernel, and is thus fully Free Software. VirtualBox is developed and maintained by Oracle, and is not Free software. I’ll be using KVM for these examples, but there’s a convenient guide for VirtualBox.

Make sure to check the relevant NixOS and Whonix documentation to ensure these examples are up-to-date. Always be weary of executing commands from a random blog on the internet, and go to the source whenever possible.

• https://nixos.wiki/wiki/Virt-manager
• https://www.whonix.org/wiki/KVM

Some of this setup (packages, user groups, dconf settings, the actual virtualization setup) is declaratively configured, but many of the commands to set up Whonix are not. On a fresh NixOS system build with your configuration.nix, you’ll still need to download the Whonix images and set them up with the commands outlined below. It’s possible more (or even all?) of this could be done declaratively with more NixOS knowledge.

Use the virt-manager application to start Whonix-Gateway, and open its terminal. We’ll use setup-dist to create your Tor connection and otherwise prepare Whonix for use.

# Whonix Gateway VM
[gateway user ~]% sudo setup-dist

Upgrade the system to pull the latest packages:

# Whonix Gateway VM
[gateway user ~]% sudo apt-get dist-upgrade

Start the Whonix Workstation, and repeat the upgrade step:

# Whonix Workstation VM
[workstation user ~]% sudo apt-get dist-upgrade

Assuming the VMs are booting properly and can receive updates, you should be good to go! You now have a compartmentalized environment where your traffic will be anonymized, and any malware should generally be contained to the VM (sophisticated enough malware could theoretically jump the KVM hypervisor, but if that’s part of your threat model you probably shouldn’t be getting security advice from this blog :P)