thisago's blog

(gu|n)ix

Table of Contents

Today I migrated all my qubes to my new TemplateVM: fedora-42-minimal-ix. AppVMs of "ix series".1

My previous installation was basically installing Fedora packages on a single TemplateVM and taking AppVMs from it. But now, after some weeks of qube creation and deletion, I learned a lot of things about:

And this is a quick preview of the mental image left of this period.

During the migration journey I wanted to document everything needed to replicate it later, so I wrote this tutorial, which I recommend you to take a look.

Learnings

Chezmoi does a great job

Since it's a migration, a cleaning is a good idea. So I removed unneeded dependencies, apps and tools, as such:

  • Replaced gum in my daily use bash script by fzf because Guix official channel doesn't have gum yet.
  • Removed opencode and Firefox config. I think I'm going to the right direction for privacy.
  • Cleaned up my Doom Emacs packages.

During the cleaning, and checking my old installation notes for this old setup (fonts, needed packages and etc), I took the opportunity to make it fully auto, and Chezmoi does a great job with the scripts system. Simple and powerful.

QubesOS is powerful

  • TemplateVM /etc/skew2 is the initial structure for the AppVM /home/user, and /var/local.orig for /var/local/ at AppVM.
  • The minimal template brought me some better understanding of how things work.
  • Getting familiar with dom0 commands for managing qubes, qvm-…. Very powerful.
  • The ease to create and delete complete systems is excellent, reduces the fear of doing mistakes.
  • Despite small, the community is pretty active and very nice.

Next steps for QubesOS:

  • Migrate my setup to SaltStack, and the abstraction made for the installation steps will help.
  • Understand better how separate my qubes, it's hard to define boundaries for both personal interests, behavioral habits and access control (accounts). But a enjoying task.
  • Realize how make use of DispVMs without losing work, and pushing things to the internet. Maybe some local service or system to grab the data.3
    • How handle unexpected shutdowns or crashes?
    • Can it be a daily driver?
  • Disposable sys-net
  • Split GPG

Nix is a good idea4

Added it to my TemplateVM together with Guix to handle the initial adaption to Guix by using nix-shell for packages that official Guix channel still lacks, meanwhile my personal channel is unready yet.

This decision was good to:

  • Understand its basics and structure overview.
  • Make it familiar for later uses

I'm interested in playing with it for infrastructure and CI later.

Guix

I like Guix. Somewhere in the past I had GuixOS as my main OS, but I didn't really dived into the gold: custom channels and its fully declarative system.

I want to use it as a single source of truth for Linux subsystems, maybe migrate the non-QubesOS computers to GuixOS, and setup my local substitute server for local builds for whatever I can.

Maybe also use it in CI environments with prebuilt systems for my offline infra, all batteries included.

But I'll need to take caution with old packages not bumped yet. Luckily Guix provides a tool to retrieve the CVEs: 

guix lint -c cve | head

gnu/packages/admin.scm:1329:2: shadow@4.13: probably vulnerable to CVE-2023-29383
gnu/packages/admin.scm:2749:2: hostapd@2.10: probably vulnerable to CVE-2025-24912, CVE-2022-37660
gnu/packages/admin.scm:2065:2: libpcap@1.10.1: probably vulnerable to CVE-2024-8006, CVE-2023-7256
gnu/packages/admin.scm:2508:2: opendoas@6.8.2: probably vulnerable to CVE-2023-28339
gnu/packages/animation.scm:67:2: rlottie@0.2: probably vulnerable to CVE-2025-0634, CVE-2025-53075, CVE-2025-53074, CVE-2025-53076
gnu/packages/assembly.scm:252:2: yasm@1.3.0: probably vulnerable to CVE-2023-30402, CVE-2023-31972, CVE-2023-31974, CVE-2023-31975, CVE-2023-31973, CVE-2023-51258
gnu/packages/augeas.scm:41:2: augeas@1.14.1: probably vulnerable to CVE-2025-2588
gnu/packages/avahi.scm:42:2: avahi@0.8: probably vulnerable to CVE-2023-38469, CVE-2023-38470, CVE-2023-38471, CVE-2023-38472, CVE-2023-38473
gnu/packages/backup.scm:265:2: libarchive@3.7.7: probably vulnerable to CVE-2025-1632, CVE-2025-25724, CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, CVE-2025-5917, CVE-2025-5918
gnu/packages/base.scm:941:2: glibc@2.41: probably vulnerable to CVE-2025-5702, CVE-2025-5745

Nice opportunity to get deeper into the security field.

GNU/Linux and More

  • . A interesting thing to play with later.

  • Diving more in the world of man-db and texinfo. A collection of courses and tutorials that rocks.

    man man, info info
    man info, info man
    (man "info")

    • Perl is nice

      manPerl.svg

      Figure 1: Bash completion for man perl, including more than 30x5 options.

  • Git LFS is nice. I initialized it in my dotfiles to store my large wallpaper I put behind my transparent terminal.
    • I think I can use Git LFS to store my binary files as such photos.

Overview

  • Chezmoi setup is more efficient now, it's ready to… Get replaced by Guix. At least the old notes can now be archived.
  • guix install is not right, so I'll hurry to build my channel.

To be honest, I think I didn't needed to enter this reproducibility obsession hole, but… Yeah, it's hard to resist the temptation.

Footnotes:

1

See regex from the title

2

I like this name, where does it come? skew, nice to write and read

3

Related post: Idea: Hauler For Git

4

Plagiarized quote from doomemacs' readme

See the source code here.
Generated at 2025-12-03 Wed 10:01 +0000 by Emacs 29.4 (Org mode 9.6.15)