path: root/feed.xml

<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0"
	 xmlns:content="http://purl.org/rss/1.0/modules/content/"
	 xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	 xmlns:dc="http://purl.org/dc/elements/1.1/"
	 xmlns:atom="http://www.w3.org/2005/Atom"
	 xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	 xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	 xmlns:georss="http://www.georss.org/georss"
     xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#"
     xmlns:media="http://search.yahoo.com/mrss/"><channel>
  <title>My feed</title>
  <atom:link href="./feed.xml" rel="self" type="application/rss+xml" />
  <link></link>
  <description><![CDATA[]]></description>
  <language>en</language>
  <pubDate>Sat, 05 Apr 2025 00:06:50 -0600</pubDate>
  <lastBuildDate>Sat, 05 Apr 2025 00:06:50 -0600</lastBuildDate>
  <generator>Emacs 29.4 Org-mode 9.7.22</generator>
  <webMaster>user@emacs-org (nil)</webMaster>
  <image>
    <url>https://orgmode.org/img/org-mode-unicorn-logo.png</url>
    <title>My feed</title>
    <link></link>
  </image>

  <div id="table-of-contents" role="doc-toc">
    <h2>Table of Contents</h2>
    <div id="text-table-of-contents" role="doc-toc">
      <ul>
        <li><a href="#org8e9017d">1. Spinning, combing, waiting, waiting - draft&#xa0;&#xa0;&#xa0;<span class="tag"><span class="song">song</span></span></a></li>
        <li><a href="#org8697dcf">2. The Tor Browser&#xa0;&#xa0;&#xa0;<span class="tag"><span class="post">post</span>&#xa0;<span class="tor">tor</span></span></a></li>
        <li><a href="#org1bdbda0">3. 3 Browser extensions I almost always install&#xa0;&#xa0;&#xa0;<span class="tag"><span class="post">post</span></span></a></li>
        <li><a href="#org3ddcee5">4. Prepping for v2 of my salt repo&#xa0;&#xa0;&#xa0;<span class="tag"><span class="note">note</span>&#xa0;<span class="qubes">qubes</span></span></a></li>
        <li><a href="#org66153f1">5. Methods of installing software in QubesOS with Saltstack&#xa0;&#xa0;&#xa0;<span class="tag"><span class="post">post</span>&#xa0;<span class="qubes">qubes</span></span></a></li>
        <li><a href="#org3888bd2">6. Website update&#xa0;&#xa0;&#xa0;<span class="tag"><span class="note">note</span>&#xa0;<span class="skylarcloud">skylarcloud</span></span></a></li>
        <li><a href="#org26983f0">7. Convenient torrenting with qBittorrent&#xa0;&#xa0;&#xa0;<span class="tag"><span class="post">post</span></span></a></li>
        <li><a href="#org973deab">8. QubesOS Saltstack configuration v1&#xa0;&#xa0;&#xa0;<span class="tag"><span class="post">post</span>&#xa0;<span class="qubes">qubes</span></span></a></li>
        <li><a href="#orgb214ac6">9. Create an anonymous Whonix environment with KVM + NixOS&#xa0;&#xa0;&#xa0;<span class="tag"><span class="post">post</span>&#xa0;<span class="tor">tor</span></span></a></li>
      </ul>
    </div>
  </div>
  <table border="2" cellspacing="0" cellpadding="6" rules="all" frame="border" align="center">


    <colgroup>
      <col  class="org-left" />

      <col  class="org-left" />

      <col  class="org-left" />

      <col  class="org-left" />
    </colgroup>
    <tbody>
      <tr>
        <td class="org-left"><a href="https://skylarcloud.xyz">🌎 Home</a></td>
        <td class="org-left"><a href="https://skylarcloud.xyz/feed.html">📡 My feed</a></td>
        <td class="org-left"><a href="https://searx.skylarcloud.xyz">🔭 SearXNG</a></td>
        <td class="org-left"><a href="https://git.skylarcloud.xyz">⚙️ Git Repos</a></td>
      </tr>
    </tbody>
  </table>
  <item>
    <title>Spinning, combing, waiting, waiting - draft</title>
    <link>./feed.html#org8e9017d</link>
    <author>user@emacs-org (nil)</author>
    <guid isPermaLink="false">./feed.html#org8e9017d</guid>
    <pubDate>Fri, 04 Apr 2025 23:24:00 -0600</pubDate>
    <category><![CDATA[song]]></category>
    <description><![CDATA[<p>
    <a href="https://skylarcloud.xyz/music/spinning-combing-waiting-waiting.m4a">Spinning, combing, waiting, waiting - draft</a>
    </p>
    ]]></description>
  </item>
  <item>
    <title>The Tor Browser</title>
    <link>./feed.html#org8697dcf</link>
    <author>user@emacs-org (nil)</author>
    <guid isPermaLink="false">./feed.html#org8697dcf</guid>
    <pubDate>Fri, 04 Apr 2025 22:59:00 -0600</pubDate>
    <category><![CDATA[post]]></category>
    <category><![CDATA[tor]]></category>
    <description><![CDATA[<div id="outline-container-orgeb523a9" class="outline-3">
    <h3 id="orgeb523a9">Intro</h3>
    <div class="outline-text-3" id="text-orgeb523a9">
    <p>
    The immediate threat of government retaliation for speech hasn&rsquo;t been clearer in decades as it is now in the U.S. under the Trump administration. Journalists, law firms, and polling orgs are being targeted in viewpoint-based lawsuits. Legal permanent residents and writers are being held hostage or sent to El Salvidor-ian labor prisons without charges or due process explicitly for their speech. In the cases of targeted individuals, much of the &rsquo;evidence&rsquo; found by the executive&#x2013;and often the speech retaliated against&#x2013;happened online.
    </p>

    <p>
    When the internet and online social spaces are rife with surveillance, and our activity is so often tied to our personal identifiers (IP address, name, phone #, email, address, etc.), the job of a malicious government is easy. Every time you fedpost about Trump on Instagram, express support for groups the US is opposed to, or write a controversial article with your name at the top of it, you leave a trail of breadcrumbs&#x2013;no, a trail of loafs&#x2013;that tons of organizations and governments can use to learn your political persuasions, and potentially persecute you for them.
    </p>

    <p>
    When you can&rsquo;t trust your network, your ISP, the sites you&rsquo;re visiting, or your government with your internet activity, the value of anonymity becomes clear. The Tor Browser is a web browser that mitigates many of these threats by making your browsing anonymous. Using it, you can create and maintain accounts on various websites, participate in conversation, publish your writing, and get access to information without being surveilled.
    </p>
    </div>
    </div>
    <div id="outline-container-org33aecdb" class="outline-3">
    <h3 id="org33aecdb">Hiding your web traffic with the Tor Network</h3>
    <div class="outline-text-3" id="text-org33aecdb">
    <p>
    The first job of the Tor Browser to hide your traffic from your network, your ISP, and to keep your IP address hidden from the websites you visit, and it solves this problem in a very cool way. When you visit a website through the Tor Browser, your traffic is sent through the Tor Network, which is a network of thousands of servers run by volunteers. Your traffic is encrypted three-fold and sent through a randomly-picked three servers in the network, in such a way where no single node can see both your IP address the IP address you&rsquo;re visiting.
    </p>

    <p>
    This means that your network and ISP can&rsquo;t know what website you&rsquo;re visiting; it&rsquo;ll just be a bunch of encrypted traffic into the Tor Network. The website you&rsquo;re visiting also won&rsquo;t know where your connection came from, just the IP address of the exit node. And even the tor nodes your traffic was routed through can&rsquo;t simultaneously know your IP address and the address of the website you were visiting. Your three-node &ldquo;circuit&rdquo; will automatically rotate periodically as well. Basically it&rsquo;s a proxy/VPN on steroids.
    </p>

    <p>
    Now, as mentioned above, it&rsquo;s important to stress that though your traffic is truly hidden, by default your network and ISP <b>will</b> know that you&rsquo;re using Tor for <i>something</i>. Using Tor is not illegal anywhere in the US (as far as I know?), but it may be suspicious to your network administrator or possibly blocked on your network. If you&rsquo;re worried about your network and ISP knowing you&rsquo;re using Tor, you can use &ldquo;bridges&rdquo;, which are a fourth optional random proxy your traffic will go through before entering the Tor Network to further obscure the nature of your connection. You can easily enable this in your &ldquo;connection settings&rdquo;, which will be available right after starting the browser for the first time.
    </p>

    <p>
    Also, because your traffic is being passed through so many servers on the way to its destination, keep in mind that browsing will be significantly slower than you&rsquo;re probably used to. It&rsquo;s comfortable enough on a fast home connection, but trying to stream HD video, or using Tor over a mobile connection or with slower home internet can get painful.
    </p>
    </div>
    </div>
    <div id="outline-container-org9ba51fe" class="outline-3">
    <h3 id="org9ba51fe">Anti-fingerprinting</h3>
    <div class="outline-text-3" id="text-org9ba51fe">
    <p>
    Aside from the network, online surveillance is often done through &ldquo;fingerprinting&rdquo;, where a website can see/query your browser for all sorts of information to build a profile on your connection. The fonts installed on your computer, browser cookies, browser extensions, your screen size and many more variables can be used to build a unique fingerprint and expose you to tracking.
    </p>

    <p>
    To stop these kinds of attacks, the Tor Browser has many anti-fingerprinting protections build-in, that attempt to make your connection look like every other Tor users, so no-one seems unique.
    </p>
    </div>
    <div id="outline-container-orgd13ccaf" class="outline-4">
    <h4 id="orgd13ccaf">Letterboxing</h4>
    <div class="outline-text-4" id="text-orgd13ccaf">
    <p>
    The Browser uses letterboxing, which is a curious little feature that disguises your screen size by having a certain number of pre-chosen website sizes that the window will snap to. This is hard to describe in words but you&rsquo;ll notice it quickly when you use the Browser. You can resize the window as granularly as you wish, but the website will only grow and shrink in certain particular sizes.
    </p>
    </div>
    </div>
    <div id="outline-container-org69174ce" class="outline-4">
    <h4 id="org69174ce">No history</h4>
    <div class="outline-text-4" id="text-org69174ce">
    <p>
    Every time you close the Tor Browser, all cookies and history is removed, so you&rsquo;ll get a clean start every launch.
    </p>
    </div>
    </div>
    <div id="outline-container-org5b29f39" class="outline-4">
    <h4 id="org5b29f39">Hide everything!</h4>
    <div class="outline-text-4" id="text-org5b29f39">
    <p>
    When information about your browser and operating system are typically sent to website, the Tor Browser will lie and claim every user is using the same devices. It will hide your time zone, your installed fonts, and refuse to use many risky APIs that can be privacy-intrusive.
    </p>
    </div>
    </div>
    </div>
    <div id="outline-container-org03aaae1" class="outline-3">
    <h3 id="org03aaae1">Don&rsquo;t make yourself unique</h3>
    <div class="outline-text-3" id="text-org03aaae1">
    <p>
    By default, the Tor Browser will use these network and anti-fingerprinting features to make your browser and your connection look as similar as possible to every Tor user, so everyone&rsquo;s traffic is all mingled and indecipherable and difficult to track, but you can definitely break your anonymity by making mistakes when using it. Here are some things to avoid:
    </p>
    </div>
    <div id="outline-container-orgabe6ac6" class="outline-4">
    <h4 id="orgabe6ac6">Don&rsquo;t mix Tor and non-Tor traffic/accounts/identities !!!</h4>
    <div class="outline-text-4" id="text-orgabe6ac6">
    <ul class="org-ul">
    <li>If you create an anonymous online account using Tor, and then access that account on another device without using Tor, you&rsquo;ve deanonymized yourself.</li>
    <li>If you use Tor to commit a crime, and in another tab you access a personal social media service using the same Tor connection, you&rsquo;ve deanonymized yourself.</li>
    <li>If you start a blog using Tor, and publish a post with your name, you&rsquo;ve deanonymized yourself.</li>
    <li>If you&rsquo;re talking to someone on Tor, and you give them your personal email to talk further, you&rsquo;ve deanonymized yourself.</li>
    </ul>

    <p>
    This is the most common class of mistake Tor users make that leads to arrests. Always understand what information you may be accidentally linking together that could connect your anonymous activities to your personal identity.
    </p>
    </div>
    </div>
    <div id="outline-container-orga607308" class="outline-4">
    <h4 id="orga607308">Don&rsquo;t configure the browser</h4>
    <div class="outline-text-4" id="text-orga607308">
    <p>
    Because the Tor Browser is designed to make everyone&rsquo;s connection look similar, if you start changing settings or installing extensions, your browser will become more unique and trackable. Just use Tor as it is default.
    </p>
    </div>
    <ul class="org-ul">
    <li><a id="org3215651"></a>Exceptions<br />
    <div class="outline-text-5" id="text-org3215651">
    <p>
    Now that we know the rule of thumb (don&rsquo;t touch things!), there are a couple things we <b>can</b> safely configure.
    </p>
    </div>
    <ul class="org-ul">
    <li><a id="org95528f5"></a>Security settings<br />
    <div class="outline-text-6" id="text-org95528f5">
    <p>
    In the browser settings, there are three &ldquo;security levels&rdquo; you can choose from. Choosing the &ldquo;safer&rdquo; options will restrict websites from more potentially-risky activity, at the cost of many more websites not being able to function. I&rsquo;d recommend defaulting to the most secure option and lowering it if a particular site demands it.
    </p>
    </div>
    </li>
    <li><a id="orgb25e173"></a>Connection settings<br />
    <div class="outline-text-6" id="text-orgb25e173">
    <p>
    As mentioned earlier, you can optionally use a bridge to hide the fact that you&rsquo;re using Tor from your network and ISP.
    </p>
    </div>
    </li>
    </ul>
    </li>
    </ul>
    </div>
    </div>
    ]]></description>
</item>
<item>
  <title>3 Browser extensions I almost always install</title>
  <link>./feed.html#org1bdbda0</link>
  <author>user@emacs-org (nil)</author>
  <guid isPermaLink="false">./feed.html#org1bdbda0</guid>
  <pubDate>Thu, 03 Apr 2025 05:40:00 -0600</pubDate>
  <category><![CDATA[post]]></category>
  <description><![CDATA[<div id="outline-container-orge3a8147" class="outline-3">
  <h3 id="orge3a8147">Vimium C</h3>
  <div class="outline-text-3" id="text-orge3a8147">
  <p>
  This lets do basic navigation in your browser with vim-like keybindings. You can click links, scroll, go back and forth between tabs and through your history, select/copy/search text and more with your keyboard.
  </p>
  </div>
  </div>
  <div id="outline-container-org0c78b9f" class="outline-3">
  <h3 id="org0c78b9f">Dark Reader</h3>
  <div class="outline-text-3" id="text-org0c78b9f">
  <p>
  Makes all websites default to a mode, and provides an easy toggle.
  </p>
  </div>
  </div>
  <div id="outline-container-org014cfa1" class="outline-3">
  <h3 id="org014cfa1">uBlock Origin</h3>
  <div class="outline-text-3" id="text-org014cfa1">
  <p>
  The most ubiquitous content/ad blocker, reliable as ever.
  </p>
  </div>
  </div>
  ]]></description>
</item>
<item>
  <title>Prepping for v2 of my salt repo</title>
  <link>./feed.html#org3ddcee5</link>
  <author>user@emacs-org (nil)</author>
  <guid isPermaLink="false">./feed.html#org3ddcee5</guid>
  <pubDate>Wed, 02 Apr 2025 22:34:00 -0600</pubDate>
  <category><![CDATA[note]]></category>
  <category><![CDATA[qubes]]></category>
  <description><![CDATA[<p>
  I've massively restructured my salt repo and added enough features that I'm going to make a new repository and release it again in full, as a 2.0 version. This should be done within the next week or two.
  </p>
  ]]></description>
</item>
<item>
  <title>Methods of installing software in QubesOS with Saltstack</title>
  <link>./feed.html#org66153f1</link>
  <author>user@emacs-org (nil)</author>
  <guid isPermaLink="false">./feed.html#org66153f1</guid>
  <pubDate>Wed, 02 Apr 2025 22:34:00 -0600</pubDate>
  <category><![CDATA[post]]></category>
  <category><![CDATA[qubes]]></category>
  <description><![CDATA[<p>
  Here are some various methods of installing software that I've used in my personal salt configuration
  </p>
  <div id="outline-container-org5ec5022" class="outline-3">
  <h3 id="org5ec5022">pkg.installed</h3>
  <div class="outline-text-3" id="text-org5ec5022">
  <p>
  Here&rsquo;s <code>/srv/user_salt/pkgs/accounting.sls</code> as an example. It uses the simplest way of installing programs, which is just listing them under <code>pkg.installed</code> which pulls them from your distros main repositories. This is the most preferable way to install software if it&rsquo;s available.
  </p>

  <div class="org-src-container">
  <pre class="src src-salt"><span style="color: #928374;"># </span><span style="color: #928374;">Install accounting tools</span>
  <span style="color: #d3869b;">accounting--install-apps</span>:
  <span style="color: #b8bb26;">pkg.installed</span>:
  - <span style="color: #83a598;">pkgs</span>:
  - hledger <span style="color: #928374;"># </span><span style="color: #928374;">Command-line plain text accounting</span>
  - gnucash <span style="color: #928374;"># </span><span style="color: #928374;">Graphical GNU accounting suite</span>
  </pre>
  </div>
  </div>
  </div>
  <div id="outline-container-org90448e8" class="outline-3">
  <h3 id="org90448e8">Install from third-party repo with a script</h3>
  <div class="outline-text-3" id="text-org90448e8">
  <p>
  Here&rsquo;s <code>/srv/user_salt/pkgs/signal.sls</code> as an example. It places an installation script, <code>/srv/user_salt/pkgs/install-scripts/signal-repo.sh</code> into a qube and executes it to install the Signal messenger.
  </p>

  <div class="org-src-container">
  <pre class="src src-salt"><span style="color: #928374;">...</span>

  <span style="color: #d3869b;">signal--repo-script</span>:
  <span style="color: #b8bb26;">file.managed</span>:
  - <span style="color: #fe8019;">name</span>: /usr/bin/install-repo <span style="color: #928374;"># </span><span style="color: #928374;">this is where the installation script is placed</span>
  - <span style="color: #83a598;">source</span>: <span style="color: #fe8019;">salt://</span>pkgs/install-scripts/signal-repo.sh <span style="color: #928374;"># </span><span style="color: #928374;">This is where the installation script was sourced</span>
  - <span style="color: #83a598;">user</span>: root <span style="color: #928374;"># </span><span style="color: #928374;">sets the owner of the file, you can usually default to root</span>
  - <span style="color: #83a598;">group</span>: root <span style="color: #928374;"># </span><span style="color: #928374;">sets the group of the file, you can usually default to root</span>
  - <span style="color: #83a598;">mode</span>: 777 <span style="color: #928374;"># </span><span style="color: #928374;">sets the permissions of the file, you can usually default to 777 (any user on the qube has permissions)</span>

  <span style="color: #928374;"># </span><span style="color: #928374;">This simply executes the install-repo script in a qube</span>
  <span style="color: #b8bb26;">'install-repo'</span>:
  <span style="color: #b8bb26;">cmd.run</span>
  </pre>
  </div>

  <p>
  Here&rsquo;s the installation script that&rsquo;s ran:
  </p>
  </div>
  <div id="outline-container-org4dcdb21" class="outline-4">
  <h4 id="org4dcdb21"><code>/srv/user_salt/pkgs/install-scripts/signal-repo.sh</code></h4>
  <div class="outline-text-4" id="text-org4dcdb21">
  <div class="org-src-container">
  <pre class="src src-bash"><span style="color: #928374;"># </span><span style="color: #928374;">Retrieves Signal's key for verifying the package</span>
  <span style="color: #928374;"># </span><span style="color: #928374;">The request is proxied through 127.0.0.1:8082 to allow the template qube to access the internet</span>
  <span style="color: #fabd2f;">sudo</span> <span style="color: #fabd2f;">curl</span> --proxy 127.0.0.1:8082 -s https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor | <span style="color: #fabd2f;">sudo</span> tee -a /usr/share/keyrings/signal-desktop-keyring.gpg &gt; /dev/null

  <span style="color: #928374;"># </span><span style="color: #928374;">Defines Signal's repo in /etc/apt/sources.list.d/</span>
  <span style="color: #fabd2f;">echo</span> <span style="color: #b8bb26;">'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main'</span> | tee /etc/apt/sources.list.d/signal-xenial.list

  <span style="color: #928374;"># </span><span style="color: #928374;">Updates packages and installs signal-desktop through the newly configured repository</span>
  <span style="color: #fabd2f;">sudo</span> apt update
  <span style="color: #fabd2f;">sudo</span> apt install signal-desktop -y
  </pre>
  </div>
  </div>
  </div>
  </div>
  <div id="outline-container-org491b029" class="outline-3">
  <h3 id="org491b029">Move a binary file into /usr/bin</h3>
  <div class="outline-text-3" id="text-org491b029">
  <p>
  Here&rsquo;s <code>/srv/user_salt/pkgs/st.sls</code> as an example. It takes a binary file that&rsquo;s part of this salt repository, and moves it into the ~/usr/bin/ directory in a qube.
  </p>

  <div class="org-src-container">
  <pre class="src src-salt"><span style="color: #928374;"># </span><span style="color: #928374;">Installs my build of st terminal</span>
  <span style="color: #d3869b;">/usr/bin/st</span>:
  <span style="color: #b8bb26;">file.managed</span>:
  - <span style="color: #83a598;">source</span>: <span style="color: #fe8019;">salt://</span>pkgs/bin/st.bin
  - <span style="color: #83a598;">user</span>: root
  - <span style="color: #83a598;">group</span>: root
  - <span style="color: #83a598;">mode</span>: 777
  </pre>
  </div>
  </div>
  </div>
  ]]></description>
</item>
<item>
  <title>Website update</title>
  <link>./feed.html#org3888bd2</link>
  <author>user@emacs-org (nil)</author>
  <guid isPermaLink="false">./feed.html#org3888bd2</guid>
  <pubDate>Sat, 01 Mar 2025 10:14:00 -0700</pubDate>
  <category><![CDATA[note]]></category>
  <category><![CDATA[skylarcloud]]></category>
  <description><![CDATA[<p>
  I've changed a few things about the website:
  </p>

  <p>
  The blog posts have been consolidated into a single org document. I like the feeling of having one large waterfall of writing, with a level-one table of contents to navigate the posts.
  </p>

  <p>
  I've figured out how to create an RSS feed using <code>ox-rss</code>, which makes it easy to generate an xml feed from the newly-consolidated feed.org document. You can now follow my feed from any RSS reader!
  </p>

  <p>
  <a href="https://git.skylarcloud.xyz">https://git.skylarcloud.xyz</a> now has a repo with the org and html files used for this site.
  </p>
  ]]></description>
</item>
<item>
  <title>Convenient torrenting with qBittorrent</title>
  <link>./feed.html#org26983f0</link>
  <author>user@emacs-org (nil)</author>
  <guid isPermaLink="false">./feed.html#org26983f0</guid>
  <pubDate>Fri, 28 Feb 2025 14:30:00 -0700</pubDate>
  <category><![CDATA[post]]></category>
  <description><![CDATA[<div id="outline-container-org5e3da06" class="outline-3">
  <h3 id="org5e3da06">Introduction</h3>
  <div class="outline-text-3" id="text-org5e3da06">
  <p>
  Your access to media should not be limited by money, nor should it be limited by technical ability. I want to demonstrate with this quick guide that torrenting is as accessible and easy as it&rsquo;s ever been, using Free and open-source software.
  </p>
  </div>
  </div>
  <div id="outline-container-orgecbe3fa" class="outline-3">
  <h3 id="orgecbe3fa">Install qBittorrent</h3>
  <div class="outline-text-3" id="text-orgecbe3fa">
  <p>
  qBittorrent is a Free and open-source BitTorrent client that supports tons of features, but you need to know much at all to get started. To install it, go to their downloads page website at <a href="https://www.qbittorrent.org/download">https://www.qbittorrent.org/download</a> and select the right option for your computer. It supports Windows, MacOS, and can be installed through most common package managers on Linux.
  </p>

  <p>
  After it&rsquo;s downloaded, install it like you would with any other program.
  </p>
  </div>
  </div>
  <div id="outline-container-org49a96b2" class="outline-3">
  <h3 id="org49a96b2">Enable the search engine</h3>
  <div class="outline-text-3" id="text-org49a96b2">
  <p>
  To let us search for media, we need to turn on qBittorrent&rsquo;s search engine.
  </p>
  <ul class="org-ul">
  <li>Click the &ldquo;View&rdquo; button in the toolbar</li>
  <li>Check the &ldquo;Search Engine&rdquo; box
  There should now be a &ldquo;Search&rdquo; tab next to &ldquo;Transfers&rdquo; under the toolbar</li>
  <li>Click the &ldquo;Search&rdquo; tab</li>
  <li>Click &ldquo;Search Plugins&rdquo; at the bottom right</li>
  <li>Click &ldquo;Check for updates&rdquo;</li>
  <li>Click &ldquo;Ok&rdquo; and &ldquo;Close&rdquo; to exit the search plugins menu</li>
  </ul>
  </div>
  </div>
  <div id="outline-container-orge6ab1bb" class="outline-3">
  <h3 id="orge6ab1bb">Search for and download some media</h3>
  <div class="outline-text-3" id="text-orge6ab1bb">
  <ul class="org-ul">
  <li>In the &ldquo;Search&rdquo; tab, click on the search bar, enter the name of some movie, and press Return. Very quickly, you should see many results, with slightly different titles, sizes, and numbers of &ldquo;Seeders&rdquo;, among other things.</li>
  </ul>
  <p>
  &ldquo;Seeders&rdquo; refers to the computers that are hosting the media you want. In general, you want to download files being seeded by lots of computers to get the fastest download speeds possible
  </p>
  <ul class="org-ul">
  <li>Pick a result with a name indicating the media, resolution, and episodes/seasons you want. Double-click it</li>
  <li>A download prompt will appear. It has lots of settings, but you can simply click &ldquo;Ok&rdquo; to download it normally.</li>
  </ul>
  </div>
  </div>
  <div id="outline-container-org65ccd49" class="outline-3">
  <h3 id="org65ccd49">Now just wait</h3>
  <div class="outline-text-3" id="text-org65ccd49">
  <p>
  You can track the progress of torrents being downloaded in the &ldquo;Transfers&rdquo; tab. When it&rsquo;s 100% complete, you can right-click the file, and click &ldquo;Preview file&rdquo; to have it play in your default media player.
  </p>

  <p>
  If you&rsquo;re feeling charitable, you can leave qBittorrent running in the background to seed the files for other users. It&rsquo;ll help keep the media accessible for everyone, and improve download speeds for others. Using a VPN is recommended if you plan on leaving the client running for long periods of time.
  </p>
  </div>
  </div>
  <div id="outline-container-orgce1d840" class="outline-3">
  <h3 id="orgce1d840">Extra tips</h3>
  <div class="outline-text-3" id="text-orgce1d840">
  </div>
  <div id="outline-container-orgd8046b2" class="outline-4">
  <h4 id="orgd8046b2">Consider using a VPN</h4>
  <div class="outline-text-4" id="text-orgd8046b2">
  <p>
  Some copyright holders use bots to detects users downloading their media. If you&rsquo;re not using a VPN, these companies can see your IP and potentially send complaints to your ISP. If you download many things and want to keep your ISP happy, using a VPN will ensure your torrenting can&rsquo;t be traced to your IP address. I personally use and recommend Mullvad ($5/month for 5 devices), but there are other reputable ones like Proton and IVPN.
  </p>
  </div>
  </div>
  <div id="outline-container-orgce7a767" class="outline-4">
  <h4 id="orgce7a767">Stream Media</h4>
  <div class="outline-text-4" id="text-orgce7a767">
  <p>
  When you go to download a torrent and the download prompt pops up, you can optionally select &ldquo;Download first and last pieces first&rdquo; and &ldquo;Download in sequential order&rdquo;.
  </p>

  <p>
  This will likely make the total download take longer, but by downloading it in order, you can stream it in real time. Wait until about 5% of the download is complete, then you can watch it while the rest downloads live in the background.
  </p>
  </div>
  </div>
  <div id="outline-container-orga7bfb43" class="outline-4">
  <h4 id="orga7bfb43">Hosting a media server with Jellyfin</h4>
  <div class="outline-text-4" id="text-orga7bfb43">
  <p>
  Jellyfin is a Free and open-source media-hosting server you can run on your computer. It&rsquo;ll let you sign in to your library on a smart TV, other devices on your local network, or in a browser.
  </p>

  <p>
  Setting it up is outside the scope of this post, but I highly recommend it. It basically just consists of downloading the server, configuring your libraries, installing the clients on your other devices, and logging in to your server.
  </p>

  <p>
  <a href="https://jellyfin.org/">https://jellyfin.org/</a>
  </p>
  </div>
  </div>
  </div>
  ]]></description>
</item>
<item>
  <title>QubesOS Saltstack configuration v1</title>
  <link>./feed.html#org973deab</link>
  <author>user@emacs-org (nil)</author>
  <guid isPermaLink="false">./feed.html#org973deab</guid>
  <pubDate>Fri, 28 Feb 2025 14:30:00 -0700</pubDate>
  <category><![CDATA[post]]></category>
  <category><![CDATA[qubes]]></category>
  <description><![CDATA[<div id="outline-container-org7ffb111" class="outline-3">
  <h3 id="org7ffb111">Notice:</h3>
  <div class="outline-text-3" id="text-org7ffb111">
  <p>
  <b>The repository is now hosted on this site at <a href="https://git.skylarcloud.xyz">https://git.skylarcloud.xyz</a>, not Github! For up-to-date instructions, refer to the new README.org in the new repo, there have been lots of changes since the publishing of this post.</b>
  </p>
  </div>
  </div>
  <div id="outline-container-org8b386d3" class="outline-3">
  <h3 id="org8b386d3">Intro</h3>
  <div class="outline-text-3" id="text-org8b386d3">
  <p>
  I&rsquo;m publishing the janky V1 of my QubesOS configuration written with Saltstack. It&rsquo;ll help set up a window manager, a couple of handy qubes, Doom Emacs, and the 3isec repo to jump-start your QubesOS experience.
  </p>

  <p>
  It&rsquo;s not new-user friendly yet, nor is it in a state where anyone can immediately download and apply it. At the very least you&rsquo;ll need to change the references to my username to yours in the salt files, and make sure the Fedora-40-XFCE and the Debian-12-minimal template are installed on your system.
  </p>

  <p>
  You can use my configuration almost as-is (just change the username references!) and it does work, but it&rsquo;s not very feature-filled or optimized, and it&rsquo;s probable that the next versions will conflict with it.
  </p>
  </div>
  <div id="outline-container-org0146a44" class="outline-4">
  <h4 id="org0146a44">Link to repo on Github</h4>
  <div class="outline-text-4" id="text-org0146a44">
  <p>
  <del><a href="https://github.com/bumbleoats/My-QubesOS-Configuration">https://github.com/bumbleoats/My-QubesOS-Configuration</a></del> &lt;- See the notice at the top of this post
  </p>
  </div>
  </div>
  <div id="outline-container-org5317302" class="outline-4">
  <h4 id="org5317302">Installation</h4>
  <div class="outline-text-4" id="text-org5317302">
  <p>
  Make sure <code>state.user-dirs</code> is active, then just move the repo to  <code>/srv/user_salt/</code> in dom0, and apply with <code>sudo qubesctl --all state.apply</code>
  </p>
  </div>
  <ul class="org-ul">
  <li><a id="org0e222ad"></a>Resources for installation<br />
  <div class="outline-text-5" id="text-org0e222ad">
  </div>
  <ul class="org-ul">
  <li><a id="org9b33c15"></a>Community user guide for user-salt<br />
  <div class="outline-text-6" id="text-org9b33c15">
  <ul class="org-ul">
  <li><a href="https://forum.qubes-os.org/t/qubes-salt-beginners-guide/20126">https://forum.qubes-os.org/t/qubes-salt-beginners-guide/20126</a></li>
  <li>This was the best resource I found as a beginner, I wasn&rsquo;t able to get anything working until I stumbled on it</li>
  </ul>
  </div>
  </li>
  <li><a id="org3ba4f54"></a>Issue I sometimes run into from a fresh QubesOS install<br />
  <div class="outline-text-6" id="text-org3ba4f54">
  <ul class="org-ul">
  <li><a href="https://github.com/QubesOS/qubes-issues/issues/8491">https://github.com/QubesOS/qubes-issues/issues/8491</a></li>
  <li>TL;DR: This is the solution that&rsquo;s worked for me, pulled from the discussion:</li>
  </ul>
  <div class="org-src-container">
  <pre class="src src-bash"><span style="color: #fabd2f;">ln</span> -s /srv/salt/qubes/user-dirs.top /srv/salt/_tops/base/user-dirs.top
  </pre>
  </div>
  </div>
  </li>
  </ul>
  </li>
  </ul>
  </div>
  </div>
  <div id="outline-container-org5988afb" class="outline-3">
  <h3 id="org5988afb">Programs in dom0</h3>
  <div class="outline-text-3" id="text-org5988afb">
  <p>
  My configuration will install a few programs in dom0. It&rsquo;s important that I put this at the top because generally, you want to limit the number of packages in dom0. Every new package is more attack surface on your most critical qube. I trust the programs I&rsquo;ve chosen to add, and by using my configuration, you&rsquo;re implicitly trusting them too.
  </p>

  <p>
  Look in <code>/srv/user_salt/</code> to find the related salt files and see the installed programs.
  </p>
  </div>
  </div>
  <div id="outline-container-orga9cbd9d" class="outline-3">
  <h3 id="orga9cbd9d">Window Management</h3>
  <div class="outline-text-3" id="text-orga9cbd9d">
  </div>
  <div id="outline-container-org7fcfec6" class="outline-4">
  <h4 id="org7fcfec6">i3</h4>
  <div class="outline-text-4" id="text-org7fcfec6">
  <p>
  i3 is a tiling window manager. It&rsquo;s used primarily through the keyboard, so muscle memory can operate everything very quickly once you get used to it. When a window is opened, it will be &rsquo;tiled&rsquo;, maximizing screen space. To open windows, rofi is used to search for applications and qubes.
  </p>
  </div>
  <ul class="org-ul">
  <li><a id="orgd7e782a"></a>Keybindings<br />
  <div class="outline-text-5" id="text-orgd7e782a">
  <p>
  You can navigate i3 with &rsquo;vim-like&rsquo; keybindings, inspired by the vi text editor. Some basic keybindings are shown below, and you can see many more by reading i3&rsquo;s config file at <code>/srv/user_salt/dots/i3</code>
  </p>

  <ul class="org-ul">
  <li>S = Shift key</li>
  <li>mod = Windows/Command key</li>
  </ul>

  <table border="2" cellspacing="0" cellpadding="6" rules="groups" frame="hsides">


  <colgroup>
  <col  class="org-left" />

  <col  class="org-left" />
  </colgroup>
  <thead>
  <tr>
  <th scope="col" class="org-left">keybinding</th>
  <th scope="col" class="org-left">function</th>
  </tr>
  </thead>
  <tbody>
  <tr>
  <td class="org-left">mod + h/j/k/l</td>
  <td class="org-left">move focus left/down/up/right</td>
  </tr>

  <tr>
  <td class="org-left">mod + S + h/j/k/l</td>
  <td class="org-left">move focused window left/down/up/right</td>
  </tr>

  <tr>
  <td class="org-left">mod + d</td>
  <td class="org-left">search/launch programs with rofi</td>
  </tr>

  <tr>
  <td class="org-left">mod + S + d</td>
  <td class="org-left">switch between windows with rofi</td>
  </tr>

  <tr>
  <td class="org-left">mod + S + g</td>
  <td class="org-left">window gap settings menu</td>
  </tr>
  </tbody>
  </table>
  </div>
  </li>
  </ul>
  </div>
  <div id="outline-container-orga9d7566" class="outline-4">
  <h4 id="orga9d7566">Misc</h4>
  <div class="outline-text-4" id="text-orga9d7566">
  <p>
  <code>wm.sls</code> will do a few other smaller things:
  </p>
  <ul class="org-ul">
  <li>Sets my default wallpaper</li>
  <li>Sets xrandr default screenlayout, replace using ARandR</li>
  <li>Creates X11 touchpad configuration for tap-to-click + natural scrolling</li>
  <li>Sources default .bashrc config into <code>/root/</code> and <code>/home/skylar/</code> from <code>/srv/user_salt/dots/.bashrc</code></li>
  <li>Prioritize xfce4-terminal in <code>/usr/bin/qubes-i3-sensible-terminal</code></li>
  <li>Symlink rofi in place of dmenu</li>
  </ul>
  </div>
  </div>
  </div>
  <div id="outline-container-org2d53cea" class="outline-3">
  <h3 id="org2d53cea">My qubes</h3>
  <div class="outline-text-3" id="text-org2d53cea">
  </div>
  <div id="outline-container-org17aa192" class="outline-4">
  <h4 id="org17aa192">Emacs</h4>
  <div class="outline-text-4" id="text-org17aa192">
  <p>
  If you&rsquo;re a Doom Emacs user (there are dozens of us!) this will hopefully make your life slightly easier.
  </p>

  <p>
  A template and app qube for Emacs will be created, Doom Emacs will automatically be installed inside the app qube, and the contents of (in dom0) <code>/srv/user_salt/dots/doom-emacs</code> will be added to the Doom Emacs qube.
  </p>

  <p>
  My personal configuration is in the repository and will be written be default, but it&rsquo;s super simple to replace for your own (just find the directory mentioned above). I&rsquo;ve done very little with my configuration, and use it basically as it comes out-of-the-box.
  </p>
  </div>
  </div>
  <div id="outline-container-orgd415284" class="outline-4">
  <h4 id="orgd415284">Torrenting</h4>
  <div class="outline-text-4" id="text-orgd415284">
  <p>
  A template and app qube for qBittorrent will be created. The gruxbox theme that I use will be moved from dom0 to the app qube so it&rsquo;s easy to apply.
  </p>

  <p>
  qBittorrent is a torrent client that lets you search for and download large files, particularly media files. You can enable the built-in search utility by doing the following:
  </p>

  <ol class="org-ol">
  <li>Navigate to the &ldquo;View&rdquo; menu at the top of the window</li>
  <li>Enable the &ldquo;Search Engine&rdquo; option</li>
  <li>A new tab should show up slightly below called &ldquo;Search&rdquo;, click it</li>
  <li>In the new menu, click &ldquo;Search plugins&#x2026;&rdquo; at the bottom</li>
  <li>Click &ldquo;Check for updates&rdquo;</li>
  <li>Once the search plugins are installed for a default list of trackers, you can close the window and search for media.</li>
  </ol>
  </div>
  <ul class="org-ul">
  <li><a id="org25f25bc"></a>VPN use<br />
  <div class="outline-text-5" id="text-org25f25bc">
  <p>
  If you&rsquo;re downloading copyrighted content in an area where it&rsquo;s illegal, I would strongly urge you consider using a VPN to hide your IP address. LE is unlikely to bust down your door for watching Spongebob, but copyright holders can and will send letters to your ISP, which can eventually get your internet service shut off if you continue. Tor can be used, but it&rsquo;s extremely slow, and hogs a lot of bandwidth on the network.
  </p>

  <p>
  Personally, I use Mullvad and don&rsquo;t have any complaints. Proton and IVPN are reputable as well.
  </p>
  </div>
  </li>
  </ul>
  </div>
  <div id="outline-container-orgab279fd" class="outline-4">
  <h4 id="orgab279fd">Personal/work email</h4>
  <div class="outline-text-4" id="text-orgab279fd">
  <p>
  A template for email will be created, and two app qubes, &ldquo;email-personal&rdquo; and &ldquo;email-work&rdquo;. These just have the Thunderbird email client installed so you can sign into your accounts.
  </p>
  </div>
  </div>
  </div>
  <div id="outline-container-orgd303708" class="outline-3">
  <h3 id="orgd303708">3isec</h3>
  <div class="outline-text-3" id="text-orgd303708">
  <p>
  The 3isec repo is a handy repository of salt files with some miscellaneous utilities. The repository will be added to dom0, their gpg key will be added from this salt repository, and their graphical interface for it will be installed in dom0. You can start it with &rsquo;qubes-task-gui&rsquo; in dom0.
  </p>

  <p>
  I usually install common, mirage-firewall, monitor, mullvad-vpn, and sys-multimedia.
  </p>
  </div>
  </div>
  <div id="outline-container-org50b68a2" class="outline-3">
  <h3 id="org50b68a2">Post install</h3>
  <div class="outline-text-3" id="text-org50b68a2">
  <p>
  Almost everything will be done out of the box, but here are some recommended finishing touches:
  </p>
  <ul class="org-ul">
  <li>Open Emacs in its app qube, run nerd-icons-install-fonts, and reload your Emacs configuration</li>
  <li>Optionally replace config files with your own <code>/srv/user_salt/</code></li>
  <li>Optionally install any packages you&rsquo;ll want with 3isec</li>
  <li>Set the storage and networking settings of your qubes to your preference (by default everything will be routed through your default net-qube, probably sys-firewall)</li>
  </ul>
  </div>
  </div>
  <div id="outline-container-orga1e97ab" class="outline-3">
  <h3 id="orga1e97ab">What&rsquo;s next?</h3>
  <div class="outline-text-3" id="text-orga1e97ab">
  <p>
  This project will develop over time as I learn more about Saltstack and continue to work on my personal configuration. I have lots of plans:
  </p>

  <ul class="org-ul">
  <li>Signal! I&rsquo;m embarrassed to admit that I couldn&rsquo;t figure out how to add the Signal repo/gpg-key to a template to install signal-desktop. It&rsquo;s pretty easy to do imperatively, but it&rsquo;ll be a no-brainer to automate once I know a little bit more about Saltstack.</li>
  <li>Replace more templates with minimal ones to save on startup-time/space/updates</li>
  <li>qmenu scrips with rofi to do more with the keyboard</li>
  <li>Browser configuration. I like to set my browsers up in a similar way almost every time with a couple of favorite extensions and configuration. I want to implement this in Saltstack asap.</li>
  <li>A handful of other simple qubes that I often end up creating over time</li>
  <li>Write and implement bash and elisp scripts to improve various QubesOS/Emacs workflows</li>
  <li>Generally improve at Saltstack to make the config more extendable/robust/optimized</li>
  </ul>
  </div>
  </div>
  ]]></description>
</item>
<item>
  <title>Create an anonymous Whonix environment with KVM + NixOS</title>
  <link>./feed.html#orgb214ac6</link>
  <author>user@emacs-org (nil)</author>
  <guid isPermaLink="false">./feed.html#orgb214ac6</guid>
  <pubDate>Fri, 28 Feb 2025 14:30:00 -0700</pubDate>
  <category><![CDATA[post]]></category>
  <category><![CDATA[tor]]></category>
  <description><![CDATA[<div id="outline-container-org8b47637" class="outline-3">
  <h3 id="org8b47637">The why</h3>
  <div class="outline-text-3" id="text-org8b47637">
  <p>
  I&rsquo;ve spent significant time using QubesOS on various computers, and I&rsquo;ve been thoroughly spoiled by the VM magic Zen and the Qubes team have enabled. For a few reasons though, I&rsquo;ve recently switched my main laptop from running QubesOS to NixOS. NixOS is great: it&rsquo;s declaratively managed, fast, stable, has tons of fresh packages, but I can&rsquo;t help but feel like my trust in the system has decreased a little bit due to the lack of isolation via virtualization that QubesOS provides.
  </p>

  <p>
  (3/1/2025 update: I&rsquo;m using QubesOS again)
  </p>

  <p>
  Luckily, while VMs are fantastic to use especially with QubesOS, it&rsquo;s very much possible to get some of the benefits of QubesOS on a host Linux system like NixOS.
  </p>

  <p>
  To demonstrate this, I&rsquo;ll be going through a Whonix installation on NixOS using KVM, nix.configuration, and home-manager. I&rsquo;ll talk a bit about the security trade-offs of using KVM over VirtualBox or on QubesOS, and how Whonix can be a useful tool for elevating your secure posture, protecting your host from malware and your activity from being deanonymized.
  </p>
  </div>
  </div>
  <div id="outline-container-orgf2738d6" class="outline-3">
  <h3 id="orgf2738d6">What&rsquo;s Whonix?</h3>
  <div class="outline-text-3" id="text-orgf2738d6">
  <p>
  Whonix is a 2-VM setup for compartmentalizing your computing, and uses the Tor Network to keep your activity anonymous. It runs on KickSecure (hardened Debian).
  </p>

  <p>
  The Whonix &ldquo;Gateway&rdquo; VM creates, maintains, and makes available a &rsquo;Tor-ified&rsquo; network connection for the Workstation.
  </p>

  <p>
  The Whonix &ldquo;Workstation&rdquo; VM is where you&rsquo;ll do your actual computing. It comes with a graphical XFCE desktop with a suite of applications. You can use the build-in Tor Browser to browse anonymously, or use any of the other included applications and have all of it routed through Tor.
  </p>
  </div>
  </div>
  <div id="outline-container-org6ebe8aa" class="outline-3">
  <h3 id="org6ebe8aa">KVM vs VirtualBox</h3>
  <div class="outline-text-3" id="text-org6ebe8aa">
  <p>
  Whonix supports 2 type-2 hypervisors: KVM and VirtualBox. KVM is build into the Linux kernel, and is thus fully <a href="https://www.gnu.org/philosophy/free-sw.en.html">Free Software</a>. VirtualBox is developed and maintained by Oracle, and is not Free software. I&rsquo;ll be using KVM for these examples, but there&rsquo;s a <a href="https://www.whonix.org/wiki/VirtualBox">convenient guide for VirtualBox</a>.
  </p>
  </div>
  </div>
  <div id="outline-container-org895308a" class="outline-3">
  <h3 id="org895308a">KVM vs QubesOS Zen</h3>
  <div class="outline-text-3" id="text-org895308a">
  </div>
  <div id="outline-container-org0663765" class="outline-4">
  <h4 id="org0663765">Hypervisor simplicity</h4>
  <div class="outline-text-4" id="text-org0663765">
  <p>
  KVM is part of the Linux kernel, meaning that the virtualization is being done by a larger, monolithic program than a type-1 hypervisor like Zen, with a larger attack surface.
  </p>
  </div>
  </div>
  <div id="outline-container-org22022ad" class="outline-4">
  <h4 id="org22022ad">Type-1 vs type-2 hypervisor</h4>
  <div class="outline-text-4" id="text-org22022ad">
  <p>
  KVM runs on a host Linux system, and therefor the contents of the VM are only as secure as the host system. This is perhaps the biggest downside to running this KVM setup over Qubes in terms of security. I&rsquo;d recommend delegating any risky activity to VMs like Whonix to try to mitigate the risk of malware running on your host system.
  </p>
  </div>
  </div>
  <div id="outline-container-orgf46f201" class="outline-4">
  <h4 id="orgf46f201">No sys-net/firewall/usb/audio/etc.</h4>
  <div class="outline-text-4" id="text-orgf46f201">
  <p>
  QubesOS uses VMs to compartmentalize the hardware, and running Whonix on a Linux host keeps those in the domain of the large Linux kernel.
  </p>
  </div>
  </div>
  <div id="outline-container-org9d72f18" class="outline-4">
  <h4 id="org9d72f18">Performance</h4>
  <div class="outline-text-4" id="text-org9d72f18">
  <p>
  Whonix on KVM performs about as well as on QubesOS (varying based on how much virtual CPU/memory you allocate of course), but a big benefit of having a Linux host is that the applications ran in it won&rsquo;t be slowed down by virtualization. Risky activities can be compartmentalized while keeping the main system fast and convenient to use.
  </p>
  </div>
  </div>
  <div id="outline-container-org2111aa0" class="outline-4">
  <h4 id="org2111aa0">Relevant Whonix security documentation</h4>
  <div class="outline-text-4" id="text-org2111aa0">
  <p>
  The advantages QubesOS has over KVM listed above are just a few basic examples. QubesOS has a much more robust security model in many ways, and if your security is <b>essential</b>, you should understand the downsides:
  </p>
  <ul class="org-ul">
  <li><a href="https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers">https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers</a></li>
  </ul>
  </div>
  </div>
  </div>
  <div id="outline-container-org2130aba" class="outline-3">
  <h3 id="org2130aba">Installing Whonix on KVM</h3>
  <div class="outline-text-3" id="text-org2130aba">
  <p>
  Make sure to check the relevant NixOS and Whonix documentation to ensure these examples are up-to-date. Always be weary of executing commands from a random blog on the internet, and go to the source whenever possible.
  </p>

  <ul class="org-ul">
  <li><a href="https://nixos.wiki/wiki/Virt-manager">https://nixos.wiki/wiki/Virt-manager</a></li>
  <li><a href="https://www.whonix.org/wiki/KVM">https://www.whonix.org/wiki/KVM</a></li>
  </ul>

  <p>
  Some of this setup (packages, user groups, dconf settings, the actual virtualization setup) is declaratively configured, but many of the commands to set up Whonix are not. On a fresh NixOS system build with your configuration.nix, you&rsquo;ll still need to download the Whonix images and set them up with the commands outlined below. It&rsquo;s possible more (or even all?) of this could be done declaratively with more NixOS knowledge.
  </p>
  </div>
  <div id="outline-container-orgc74a2fa" class="outline-4">
  <h4 id="orgc74a2fa">Installing KVM + Virt-manager</h4>
  <div class="outline-text-4" id="text-orgc74a2fa">
  <p>
  Enable libvirtd and virt-manager
  </p>

  <div class="org-src-container">
  <pre class="src src-nix">  # /etc/nixos/configuration.nix
  virtualisation.libvirtd.enable = true;
  programs.virt-manager.enable = true;
  </pre>
  </div>

  <p>
  Add user to the libvirtd group
  </p>

  <div class="org-src-container">
  <pre class="src src-nix">  # /etc/nixos/configuration.nix
  # Replace USER with your username
  # extraGroups will likely be populated, just add libvirtd to whatever's already there
  users.users.USER = {
  extraGroups = [ "libvirtd" ];
  };
  </pre>
  </div>

  <p>
  Enable qemu connection by adding dconf settings through home-manager
  </p>

  <div class="org-src-container">
  <pre class="src src-nix">  # /etc/nixos/configuration.nix
  # Replace USER with your username
  home-manager.users.USER = { pkgs, ... }: {
  # Point virt-manager to qemu as a source for virtualization
  dconf.settings = {
  "org/virt-manager/virt-manager/connections" = {
  autoconnect = ["qemu:///system"];
  uris = ["qemu:///system"];
  };
  };
  };
  </pre>
  </div>

  <p>
  Start qemu&rsquo;s virtual networking, allowing VMs to communicate
  </p>

  <div class="org-src-container">
  <pre class="src src-sh"><span style="color: #928374;"># </span><span style="color: #928374;">Start qemu networking</span>
  <span style="color: #fabd2f;">sudo</span> virsh -c qemu:///system net-autostart default
  <span style="color: #fabd2f;">sudo</span> virsh -c qemu:///system net-start default
  </pre>
  </div>
  </div>
  </div>
  <div id="outline-container-orga920350" class="outline-4">
  <h4 id="orga920350">Download the Whonix XFCE .qcow archive</h4>
  <div class="outline-text-4" id="text-orga920350">
  <ul class="org-ul">
  <li>You can the most up-to-date versions directly from their website:
  <ul class="org-ul">
  <li><a href="https://www.whonix.org/wiki/KVM#Download_Whonix">https://www.whonix.org/wiki/KVM#Download_Whonix</a></li>
  <li>You can optionally append &rsquo;.torrent&rsquo; to the direct download URL on their site to download the torrent file. This can be used in any BitTorrent client to download with faster speeds and without using as much of the project&rsquo;s bandwidth. If you have a BitTorrent client I recommend this method.</li>
  </ul></li>
  </ul>
  </div>
  </div>
  <div id="outline-container-orgc8af45d" class="outline-4">
  <h4 id="orgc8af45d">Extract the archive</h4>
  <div class="outline-text-4" id="text-orgc8af45d">
  <p>
  Make sure your working directory and archive are both in your home directory. (You may need to <code class="src src-sh"><span style="color: #fabd2f;">mv</span> ~/Downloads/Whonix* ~/</code>)
  </p>

  <div class="org-src-container">
  <pre class="src src-sh"><span style="color: #928374;"># </span><span style="color: #928374;">Unpacking archive with gnu tar</span>
  <span style="color: #fe8019;">[</span>~/<span style="color: #fe8019;">]</span>$ tar -xvf Whonix*.libvirt.xz
  </pre>
  </div>
  </div>
  </div>
  <div id="outline-container-org6988c27" class="outline-4">
  <h4 id="org6988c27">Agree to the Whonix Binary License Agreement</h4>
  <div class="outline-text-4" id="text-org6988c27">
  <p>
  To read the agreement, use:
  </p>

  <div class="org-src-container">
  <pre class="src src-sh"><span style="color: #928374;"># </span><span style="color: #928374;">Prints the license agreement</span>
  <span style="color: #fe8019;">[</span>~/<span style="color: #fe8019;">]</span>$ more WHONIX_BINARY_LICENSE_AGREEMENT
  </pre>
  </div>

  <p>
  Assuming you agree:
  </p>

  <div class="org-src-container">
  <pre class="src src-sh"><span style="color: #928374;"># </span><span style="color: #928374;">Creates an empty file "..._accepted" that tells Whonix you agree</span>
  <span style="color: #fe8019;">[</span>~/<span style="color: #fe8019;">]</span>$ <span style="color: #fabd2f;">touch</span> WHONIX_BINARY_LICENSE_AGREEMENT_accepted
  </pre>
  </div>
  </div>
  </div>
  <div id="outline-container-orgc7bfa0b" class="outline-4">
  <h4 id="orgc7bfa0b">Setup Whonix virtual networks</h4>
  <div class="outline-text-4" id="text-orgc7bfa0b">
  <div class="org-src-container">
  <pre class="src src-sh"><span style="color: #928374;"># </span><span style="color: #928374;">Add virtual networks</span>
  <span style="color: #fabd2f;">sudo</span> virsh -c qemu:///system net-define Whonix_external*.xml
  <span style="color: #fabd2f;">sudo</span> virsh -c qemu:///system net-define Whonix_internal*.xml

  <span style="color: #928374;"># </span><span style="color: #928374;">Activate the networks</span>
  <span style="color: #fabd2f;">sudo</span> virsh -c qemu:///system net-autostart Whonix-External
  <span style="color: #fabd2f;">sudo</span> virsh -c qemu:///system net-start Whonix-External
  <span style="color: #fabd2f;">sudo</span> virsh -c qemu:///system net-autostart Whonix-Internal
  <span style="color: #fabd2f;">sudo</span> virsh -c qemu:///system net-start Whonix-Internal
  </pre>
  </div>
  </div>
  </div>
  <div id="outline-container-orgfa6ff00" class="outline-4">
  <h4 id="orgfa6ff00">Import Whonix Gateway and Workstation images</h4>
  <div class="outline-text-4" id="text-orgfa6ff00">
  <div class="org-src-container">
  <pre class="src src-sh"><span style="color: #928374;"># </span><span style="color: #928374;">Creates two qemu profiles for the Whonix VMs</span>
  <span style="color: #fabd2f;">sudo</span> virsh -c qemu:///system define Whonix-Gateway*.xml
  <span style="color: #fabd2f;">sudo</span> virsh -c qemu:///system define Whonix-Workstation*.xml
  </pre>
  </div>
  </div>
  </div>
  <div id="outline-container-orgf0722cb" class="outline-4">
  <h4 id="orgf0722cb">Image File Installation</h4>
  <div class="outline-text-4" id="text-orgf0722cb">
  <div class="org-src-container">
  <pre class="src src-sh"><span style="color: #928374;"># </span><span style="color: #928374;">Assigns those qemu VMs to the Whonix .qcow2 images</span>
  <span style="color: #fe8019;">[</span>~/<span style="color: #fe8019;">]</span>$ <span style="color: #fabd2f;">sudo</span> <span style="color: #fabd2f;">mv</span> Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2
  <span style="color: #fe8019;">[</span>~/<span style="color: #fe8019;">]</span>$ <span style="color: #fabd2f;">sudo</span> <span style="color: #fabd2f;">mv</span> Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2
  </pre>
  </div>
  </div>
  </div>
  <div id="outline-container-orgb50c8cc" class="outline-4">
  <h4 id="orgb50c8cc">Remove Whonix home clutter</h4>
  <div class="outline-text-4" id="text-orgb50c8cc">
  <div class="org-src-container">
  <pre class="src src-sh"><span style="color: #928374;"># </span><span style="color: #928374;">WARNING: running this command will delete every file that starts with "Whonix" or "WHONIX" in your working directory.</span>
  <span style="color: #fe8019;">[</span>~/<span style="color: #fe8019;">]</span>$ <span style="color: #fabd2f;">rm</span> Whonix*
  <span style="color: #fe8019;">[</span>~/<span style="color: #fe8019;">]</span>$ <span style="color: #fabd2f;">rm</span> -r WHONIX*
  </pre>
  </div>
  </div>
  </div>
  </div>
  <div id="outline-container-org7fab5db" class="outline-3">
  <h3 id="org7fab5db">Post-installation</h3>
  <div class="outline-text-3" id="text-org7fab5db">
  <p>
  Use the virt-manager application to start Whonix-Gateway, and open its terminal. We&rsquo;ll use setup-dist to create your Tor connection and otherwise prepare Whonix for use.
  </p>

  <div class="org-src-container">
  <pre class="src src-sh"><span style="color: #928374;"># </span><span style="color: #928374;">Whonix Gateway VM</span>
  <span style="color: #fe8019;">[</span>gateway user ~<span style="color: #fe8019;">]</span>% <span style="color: #fabd2f;">sudo</span> setup-dist
  </pre>
  </div>

  <p>
  Upgrade the system to pull the latest packages:
  </p>

  <div class="org-src-container">
  <pre class="src src-sh"><span style="color: #928374;"># </span><span style="color: #928374;">Whonix Gateway VM</span>
  <span style="color: #fe8019;">[</span>gateway user ~<span style="color: #fe8019;">]</span>% <span style="color: #fabd2f;">sudo</span> apt-get dist-upgrade
  </pre>
  </div>

  <p>
  Start the Whonix Workstation, and repeat the upgrade step:
  </p>

  <div class="org-src-container">
  <pre class="src src-sh"><span style="color: #928374;"># </span><span style="color: #928374;">Whonix Workstation VM</span>
  <span style="color: #fe8019;">[</span>workstation user ~<span style="color: #fe8019;">]</span>% <span style="color: #fabd2f;">sudo</span> apt-get dist-upgrade
  </pre>
  </div>
  </div>
  </div>
  <div id="outline-container-org292276c" class="outline-3">
  <h3 id="org292276c">Using Whonix</h3>
  <div class="outline-text-3" id="text-org292276c">
  <p>
  Assuming the VMs are booting properly and can receive updates, you should be good to go! You now have a compartmentalized environment where your traffic will be anonymized, and any malware should generally be contained to the VM (sophisticated enough malware could theoretically jump the KVM hypervisor, but if that&rsquo;s part of your threat model you probably shouldn&rsquo;t be getting security advice from this blog :P)
  </p>
  </div>
  <div id="outline-container-org5fdcee2" class="outline-4">
  <h4 id="org5fdcee2">Some tips</h4>
  <div class="outline-text-4" id="text-org5fdcee2">
  </div>
  <ul class="org-ul">
  <li><a id="org29e059f"></a>Basic applications<br />
  <div class="outline-text-5" id="text-org29e059f">
  <ul class="org-ul">
  <li>Tor Browser: Fingerprinting-resistant browser made for anonymous internet use</li>
  <li>VLC: Video player capable of playing almost media file you throw at it</li>
  <li>KeePassXC: Offline password manager</li>
  <li>GPA (Gnu privacy assistant): Graphical manager GPG/crypto functions</li>
  <li>Electrum: Bitcoin wallet</li>
  <li>Thunderbird: Mozilla email/calendar/RSS client</li>
  <li>and more!</li>
  </ul>
  </div>
  </li>
  <li><a id="org92674ea"></a>Staying secure and anonymous<br />
  <div class="outline-text-5" id="text-org92674ea">
  <p>
  Think before you act! Whonix gives you a good platform for staying anonymous, but you can absolutely de-anonymize yourself if you&rsquo;re not careful.
  </p>

  <ul class="org-ul">
  <li>If you&rsquo;re signing into a service over Tor, understand that the service can tie your actions to your current Tor identity. You can&rsquo;t sign into your personal Facebook over Tor and expect that Facebook won&rsquo;t know exactly who you are.</li>
  <li>If you&rsquo;re talking in some IRC channel, be skeptical about sharing information about yourself.</li>
  <li>If you&rsquo;re using Electrum wallet to manage Bitcoin, understand the privacy implications of Bitcoin and where you&rsquo;re sending/receiving from.</li>
  <li>Installing extra extensions in the Tor Browser can affect your footprint and make you stand out from other Whonix users</li>
  <li>etc, etc, etc</li>
  </ul>

  <p>
  There are an uncountable number of ways you could de-anonymize yourself, so <b>stay vigilant</b>. Understand the technology you&rsquo;re using, the information you&rsquo;re putting out, and put yourself in the perspective of an adversary trying to de-anonymize you.
  </p>
  </div>
  <ul class="org-ul">
  <li><a id="orga88288f"></a>Use a live system when possible<br />
  <div class="outline-text-6" id="text-orga88288f">
  <p>
  When you&rsquo;re booting the Workstation VM, you can select the option to run it &rsquo;live&rsquo;. This means that when you shutdown the VM, everything you did during the session is erased.
  </p>

  <p>
  This can be useful, if say, you&rsquo;re vising a sketchy site and end up installing malware. Just reboot the VM and you&rsquo;re back to a clean state.
  </p>

  <p>
  Ideally, you should only use Whonix persistantly for updating and installing packages from the Whonix repositories. You may want to also use a persistant session for setting up credentials in your KeePassXC database or setup GPG keys, but keep as much sporatic browsing as possible in the live mode.
  </p>
  </div>
  </li>
  <li><a id="org3b130ef"></a>Optionally disable Javascript in Tor Browser<br />
  <div class="outline-text-6" id="text-org3b130ef">
  <p>
  Javascript adds a massive attack surface to your browser, and disabling it can remove entire categories of browser-based malware. But, many many sites rely on Javascript for basic functionality.
  </p>

  <p>
  Personally, I keep Javascript on because I trust KVM to contain malware relatively well, and I only use the Tor Browser in live mode so any potential malware will be wiped on reboot.
  </p>

  <p>
  If you care about further hardening the setup, and are willing to break many websites, Javascript can easily be disabled by setting the Tor Browser security level to the highest option.
  </p>
  </div>
  </li>
  </ul>
  </li>
  </ul>
  </div>
  </div>
  ]]></description>
</item>
</channel>
</rss>