Hi all,

Are there any recommended strategies for creating and managing
TemplateVMs for regular users?
Speaking personally, I use four templates: (based on Debian 9)

base: For sys-*, vault, gpg, shopping, banking, etc.
office: Libreoffice, thunderbird extensions, latex. For work and personal VMs.
dev: Developer tools, compilers, etc. For dev VMs.
untrusted: Media software (vlc, etc.) as well as Chrome.

This lets me keep the individual templates to a more manageable size and prevents me from accidentally mixing up my workflow across VMs.

I would be open to using a more stripped-down base template but I'm not convinced it's worth it.
Thanks - it's really helpful to hear how others manage things. I'll give a similar setup a try.

There have been discussions about this over the years.

I don't think its wrong to add lots of software to a 'general appVM use' template as long as the new programs are not network-facing *services* (as opposed to network clients).

This touches on the Qubes idea that users should compartmentalize. 'How' we should do it is left to us to decide, however the default Qubes config including VMs for work, personal, etc. suggests we can comfortably segregate by role; We don't have to do it app-by-app they way some people suggest and that would drive a lot of people crazy. Implied in role-based compartmentalization is that each role will need a lot of common apps working in concert.

Exceptions to this routine may emerge out of necessity. For example, it generally isn't a good idea to add new software to Whonix templates. Some also feel that service VMs like sys-net and sys-firewall should be run with a minimal template without regular apps present... this makes them more like router installations and theoretically more secure.


