My QubesOS Saltstack configuration
Intro
I’m publishing the janky V1 of my QubesOS configuration written with Saltstack. It’ll help set up a window manager, a couple of handy qubes, Doom Emacs, and the 3isec repo to jump-start your QubesOS experience.
It’s not new-user friendly yet, nor is it in a state where anyone can immediately download and apply it. At the very least you’ll need to change the references to my username to yours in the salt files, and make sure the Fedora-40-XFCE and the Debian-12-minimal template are installed on your system.
You can use my configuration almost as-is (just change the username references!) and it does work, but it’s not very feature-filled or optimized, and it’s probable that the next versions will conflict with it.
Link to repo on Github
Installation
Make sure state.user-dirs
is active, then just move the repo to /srv/user_salt/
in dom0, and apply with sudo qubesctl --all state.apply
Resources for installation
- Community user guide for user-salt
- https://forum.qubes-os.org/t/qubes-salt-beginners-guide/20126
- This was the best resource I found as a beginner, I wasn’t able to get anything working until I stumbled on it
- Issue I sometimes run into from a fresh QubesOS install
- https://github.com/QubesOS/qubes-issues/issues/8491
- TL;DR: This is the solution that’s worked for me, pulled from the discussion:
ln -s /srv/salt/qubes/user-dirs.top /srv/salt/_tops/base/user-dirs.top
Programs in dom0
My configuration will install a few programs in dom0. It’s important that I put this at the top because generally, you want to limit the number of packages in dom0. Every new package is more attack surface on your most critical qube. I trust the programs I’ve chosen to add, and by using my configuration, you’re implicitly trusting them too.
Look in /srv/user_salt/
to find the related salt files and see the installed programs.
Window Management
i3
i3 is a tiling window manager. It’s used primarily through the keyboard, so muscle memory can operate everything very quickly once you get used to it. When a window is opened, it will be ’tiled’, maximizing screen space. To open windows, rofi is used to search for applications and qubes.
Keybindings
You can navigate i3 with ’vim-like’ keybindings, inspired by the vi text editor. Some basic keybindings are shown below, and you can see many more by reading i3’s config file at /srv/user_salt/dots/i3
- S = Shift key
- mod = Windows/Command key
keybinding | function |
---|---|
mod + h/j/k/l | move focus left/down/up/right |
mod + S + h/j/k/l | move focused window left/down/up/right |
mod + d | search/launch programs with rofi |
mod + S + d | switch between windows with rofi |
mod + S + g | window gap settings menu |
Misc
wm.sls
will do a few other smaller things:
- Sets my default wallpaper
- Sets xrandr default screenlayout, replace using ARandR
- Creates X11 touchpad configuration for tap-to-click + natural scrolling
- Sources default .bashrc config into
/root/
and/home/skylar/
from/srv/user_salt/dots/.bashrc
- Prioritize xfce4-terminal in
/usr/bin/qubes-i3-sensible-terminal
- Symlink rofi in place of dmenu
My qubes
Emacs
If you’re a Doom Emacs user (there are dozens of us!) this will hopefully make your life slightly easier.
A template and app qube for Emacs will be created, Doom Emacs will automatically be installed inside the app qube, and the contents of (in dom0) /srv/user_salt/dots/doom-emacs
will be added to the Doom Emacs qube.
My personal configuration is in the repository and will be written be default, but it’s super simple to replace for your own (just find the directory mentioned above). I’ve done very little with my configuration, and use it basically as it comes out-of-the-box.
Torrenting
A template and app qube for qBittorrent will be created. The gruxbox theme that I use will be moved from dom0 to the app qube so it’s easy to apply.
qBittorrent is a torrent client that lets you search for and download large files, particularly media files. You can enable the built-in search utility by doing the following:
- Navigate to the “View” menu at the top of the window
- Enable the “Search Engine” option
- A new tab should show up slightly below called “Search”, click it
- In the new menu, click “Search plugins…” at the bottom
- Click “Check for updates”
- Once the search plugins are installed for a default list of trackers, you can close the window and search for media.
VPN use
If you’re downloading copyrighted content in an area where it’s illegal, I would strongly urge you consider using a VPN to hide your IP address. LE is unlikely to bust down your door for watching Spongebob, but copyright holders can and will send letters to your ISP, which can eventually get your internet service shut off if you continue. Tor can be used, but it’s extremely slow, and hogs a lot of bandwidth on the network.
Personally, I use Mullvad and don’t have any complaints. Proton and IVPN are reputable as well.
Personal/work email
A template for email will be created, and two app qubes, “email-personal” and “email-work”. These just have the Thunderbird email client installed so you can sign into your accounts.
3isec
The 3isec repo is a handy repository of salt files with some miscellaneous utilities. The repository will be added to dom0, their gpg key will be added from this salt repository, and their graphical interface for it will be installed in dom0. You can start it with ’qubes-task-gui’ in dom0.
I usually install common, mirage-firewall, monitor, mullvad-vpn, and sys-multimedia.
Post install
Almost everything will be done out of the box, but here are some recommended finishing touches:
- Open Emacs in its app qube, run nerd-icons-install-fonts, and reload your Emacs configuration
- Optionally replace config files with your own
/srv/user_salt/
- Optionally install any packages you’ll want with 3isec
- Set the storage and networking settings of your qubes to your preference (by default everything will be routed through your default net-qube, probably sys-firewall)
What’s next?
This project will develop over time as I learn more about Saltstack and continue to work on my personal configuration. I have lots of plans:
- Signal! I’m embarrassed to admit that I couldn’t figure out how to add the Signal repo/gpg-key to a template to install signal-desktop. It’s pretty easy to do imperatively, but it’ll be a no-brainer to automate once I know a little bit more about Saltstack.
- Replace more templates with minimal ones to save on startup-time/space/updates
- qmenu scrips with rofi to do more with the keyboard
- Browser configuration. I like to set my browsers up in a similar way almost every time with a couple of favorite extensions and configuration. I want to implement this in Saltstack asap.
- A handful of other simple qubes that I often end up creating over time
- Write and implement bash and elisp scripts to improve various QubesOS/Emacs workflows
- Generally improve at Saltstack to make the config more extendable/robust/optimized