I have finally succeeded in setting up printing in Qubes OS, and I would like to share my process.
I have created the following:
print template based on Debian-11-minimal template with packages installed for printing, scanning, and viewing images and documents
disposable template configured for IPPS encrypted printing to my printer
named disposable qube based on the disposable template
Below are the two scripts that I made to accomplish this. The scripts were created in dom0 and are meant to be executed in dom0. Please read the comments to understand if and when user action is required, as well as the sections to be edited to your needs.
It is also worth noting that the second script is configured to set the Eye Of Gnome package (eog) as the default program for viewing image files. File types that are not supported by Eye Of Gnome will open in the default image viewer (currently ImageMagick).
>#!/bin/bash
>
>SOURCE_TEMPLATE=debian-11-minimal
PRINT_TEMPLATE=deb11-min-print
STORAGE_QUBE=vault
>
># Clone debian-11-minimal template:
>
>qvm-clone $SOURCE_TEMPLATE $PRINT_TEMPLATE
>
># Install necessary packages in deb11-min-print template:
>
>qvm-run -u root --pass-io $PRINT_TEMPLATE 'apt-get install --no-install-recommends cups eog evince gedit ink libusb-0.1-4 nautilus qubes-core-agent-networking qubes-core-agent-passwordless-root simple-scan system-config-printer -y'
>
># If your printer(s) requires the installation of additional drivers, uncomment the commands below.
#
# Copy any drivers required for your printer(s) from your STORAGE_QUBE specified at the top of this script:
#
#qvm-run --pass-io $STORAGE_QUBE 'qvm-copy /home/user/printer-drivers/*'
#
# Install printer drivers (adjust commands below to your needs):
#
#qvm-run -u root --pass-io $PRINT_TEMPLATE 'dpkg -i --force-all /home/user/QubesIncoming/vault/<DRIVER_1>.deb'
#
#qvm-run -u root --pass-io $PRINT_TEMPLATE 'dpkg -i --force-all /home/user/QubesIncoming/vault/<DRIVER_2>.deb'
#
#qvm-run -u root --pass-io $PRINT_TEMPLATE 'dpkg -i --force-all /home/user/QubesIncoming/vault/<DRIVER_3>.deb'
#
# Optionally remove the QubesIncoming directory:
#
#qvm-run -u root --pass-io $PRINT_TEMPLATE 'rm -r /home/user/QubesIncoming/'
>
># Shutdown deb11-min-print:
>
>qvm-shutdown --wait $PRINT_TEMPLATE
>#!/bin/bash
>
>PRINT_TEMPLATE=deb11-min-print
DISPOSABLE_PRINT_TEMPLATE=sys-print-template
DISPOSABLE_PRINT_QUBE=sys-print
STORAGE_QUBE=vault
NETWORK_QUBE=sys-firewall
>
># Create disposable template based on deb11-min-print:
>
>qvm-create --class AppVM --template $PRINT_TEMPLATE --prop autostart=false --prop audiovm="" --prop netvm=$NETWORK_QUBE --prop template_for_dispvms=true --prop maxmem=0 --prop memory=400 --label gray $DISPOSABLE_PRINT_TEMPLATE
>
>qvm-features $DISPOSABLE_PRINT_TEMPLATE appmenus-dispvm 1
>
># Restrict disposable template to local network access using firewall rules (adjust for your own network):
>
>qvm-firewall $DISPOSABLE_PRINT_TEMPLATE del --rule-no 0
>
>qvm-firewall $DISPOSABLE_PRINT_TEMPLATE add accept 10.0.0.0/24
>
>qvm-firewall $DISPOSABLE_PRINT_TEMPLATE add drop
>
># If you would like to install one or more self-signed certificates generated on your printer(s) in order to use IPPS encrypted printing, uncomment the commands below.
#
# Copy any certificates for your printer(s) from your STORAGE_QUBE specified at the top of this script:
#
#qvm-run --pass-io $STORAGE_QUBE 'qvm-copy /home/user/printer-certs/*'
#
# Move certificate(s) to the proper directory for importing:
#
#qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo mv /home/user/QubesIncoming/vault/* /usr/local/share/ca-certificates/'
#
# Optionally remove the QubesIncoming directory:
#
#qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'rm -r /home/user/QubesIncoming/'
#
# Import certificate(s):
#
#qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo update-ca-certificates'
>
># Start the system-config-printer application with root permissions in disposable template:
>
>qvm-run -au root $DISPOSABLE_PRINT_TEMPLATE system-config-printer
>
># Follow the instructions below to manually configure your printer(s):
#
# Click the "Add" button in the system-config-printer toolbar to begin adding your printer(s).
#
# For IPPS encrypted printing, input the following into the text field titled "Enter device URI":
#
# ipps://<PRINTER_IP_ADDRESS>:443/ipp
#
# For standard IPP unencrypted printing:
#
# ipp://<PRINTER_IP_ADDRESS>:631/ipp
#
# Click the "Forward" button on the bottom right of the window in order to proceed.
#
# Select the proper drivers for your printer and click the "Forward" button.
#
# Verify that the proper drivers have been selected and click the "Forward" button again.
#
# For IPPS encrypted printing, edit the top text field to match exactly the expected short name of your printer.
#
# For standard IPP unencrypted printing, this is unnecessary.
#
# Optionally edit the Description and Location text fields to your preference and click "Apply" on the bottom right of the window in order to finish adding the printer.
#
# When a window appears with a prompt asking "Would you like to print a test page?" click "Cancel".
#
# Double-click the new printer item in the system-config-printer application or right-click (secondary-click) the item and select Properties, in order to verify that the information has been correctly applied.
#
# Click "OK" or "Cancel" to close the Properties window.
#
# Finally, close the system-config-printer application window.
>
># Set Eye Of Gnome (eog) as the default application to open all file types that are supported:
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "[Default Applications]\nimage/ani=org.gnome.eog.desktop" > /home/user/.config/mimeapps.list'
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/avif=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/bmp=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/gif=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/ico=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/jpeg=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/pcx=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/png=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/pnm=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/ras=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/svg=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/tga=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/tiff=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/wbmp=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/webp=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/xbm=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/xpm=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list'
>
># Create /rw/config/qubes-bind-dirs.d/ directory:
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo mkdir -p /rw/config/qubes-bind-dirs.d'
>
># Make /rw/bind-dirs/ sub-directory for /etc/cups/ directory:
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo mkdir -p /rw/bind-dirs/etc/cups/'
>
># Copy entire contents of /etc/cups/ directory into the corresponding /rw/bind-dirs/etc/cups/ directory:
>
>qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo cp -r /etc/cups/* /rw/bind-dirs/etc/cups/'
>
># Create 50_user.conf file in /rw/config/qubes-bind-dirs.d/ directory and add the appropriate information for /etc/cups/ directory:
>
>qvm-run -u root --pass-io $DISPOSABLE_PRINT_TEMPLATE "sudo echo -e binds+=\( \'/etc/cups/\' \) > /rw/config/qubes-bind-dirs.d/50_user.conf"
>
># If you have installed one or more certificates in order to use IPPS encrypted printing, uncomment the commands below.
#
# Make /rw/bind-dirs/ sub-directory for /etc/ssl/certs/ directory:
#
#qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo mkdir -p /rw/bind-dirs/etc/ssl/certs/'
#
# Make /rw/bind-dirs/ sub-directory for /usr/local/share/ca-certificates/ directory:
#
#qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo mkdir -p /rw/bind-dirs/usr/local/share/ca-certificates/'
#
# Copy your certificate(s) from /etc/ssl/certs/ directory into the corresponding /rw/bind-dirs/etc/ssl/certs/ directory (copy and edit this command for additional certificates):
#
#qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo cp -r /etc/ssl/certs/<YOUR_CERTIFICATE.pem> /rw/bind-dirs/etc/ssl/certs/'
#
# Copy your certificate(s) from /usr/local/share/ca-certificates/ directory into the corresponding /rw/bind-dirs/usr/local/share/ca-certificates/ directory (copy and edit this command for additional certificates):
#
#qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo cp -r /usr/local/share/ca-certificates/<YOUR_CERTIFICATE.crt> /rw/bind-dirs/usr/local/share/ca-certificates/'
#
# Edit 50_user.conf file in /rw/config/qubes-bind-dirs.d/ directory to add the appropriate information for your certificate(s) located in /etc/ssl/certs/ (copy and edit this command for additional certificates):
#
#qvm-run -u root --pass-io $DISPOSABLE_PRINT_TEMPLATE "sudo echo -e binds+=\( \'/etc/ssl/certs/<YOUR_CERTIFICATE.pem>\' \) >> /rw/config/qubes-bind-dirs.d/50_user.conf"
#
# Edit 50_user.conf file in /rw/config/qubes-bind-dirs.d/ directory to add the appropriate information for your certificate(s) located in /usr/local/share/ca-certificates/ (copy and edit this command for additional certificates):
#
#qvm-run -u root --pass-io $DISPOSABLE_PRINT_TEMPLATE "sudo echo -e binds+=\( \'/usr/local/share/ca-certificates/<YOUR_CERTIFICATE.crt>\' \) >> /rw/config/qubes-bind-dirs.d/50_user.conf"
>
># If your printer has scanning functionality that must be activated, uncomment and edit the command below so that the necessary command(s) for your printer/scanner are executed when the print qube starts. The command below is an example of one needed for Brother printer/scanner devices:
>
>#qvm-run -u root --pass-io $PRINT_TEMPLATE "sudo echo -e 'sudo brsaneconfig5 -a name=XXX-XXXXXXX model=XXX-XXXXXXX ip=XX.XX.XX.XX' >> /rw/config/rc.local"
>
># Shutdown disposable template:
>
>qvm-shutdown --wait $DISPOSABLE_PRINT_TEMPLATE
>
># If you would like the "View In DisposableVM" feature to open the selected file in a disposable print qube, uncomment the command below. This makes printing quicker and more convenient. Simply right-click (secondary-click) any file in any qube, select the "View In DisposableVM" option, and then print the file using either a keyboard command (Ctrl+P) or other option in the program displaying the file. This feature will not work for any qubes that you have manually configured to use a different disposable qube than the system default.
#
# Set disposable template as default disposable template:
>
>#qubes-prefs default_dispvm $DISPOSABLE_PRINT_TEMPLATE
>
># Create named disposable service qube (useful if you would like to be able to copy multiple files into one disposable print qube):
>
>qvm-create --class DispVM --template $PRINT_TEMPLATE --prop autostart=false --prop audiovm="" --prop netvm=$NETWORK_QUBE --prop maxmem=0 --prop memory=400 --label gray $DISPOSABLE_PRINT_QUBE
>
>qvm-features $DISPOSABLE_PRINT_QUBE appmenus-dispvm ''
After executing the scripts, I then added a Launcher item into my Panel to open the Document Scanner application (simple-scan) in my named disposable sys-print qube with the Launcher item set to execute this command:
>qvm-run -q -a --service -- sys-print qubes.StartApp+simple-scan
I also added a Launcher item to start the sys-print qube:
>qvm-start --quiet sys-print
And another Launcher item set to shutdown the sys-print qube:
>qvm-shutdown --wait sys-print
Then I added the Document Scanner application from the disposable template (sys-print-template) to the favorites tab of the Qubes App Menu.
With all of this accomplished, I can now do the following:
Right-click (secondary-click) a file in any qube, select the "View In DisposableVM" option to open the file in a disposable qube, and then print the file using Ctrl+P.
Scan documents in a disposable qube, transfer the files to another qube, and then close the window so that the qube is automatically shutdown and deleted. This is quick and convenient, but the transferred files appear in a subdirectory of /home/user/QubesIncoming/ with the randomly generated name of the disposable qube.
Scan documents in the named disposable and then close the window without having the qube automatically shutdown and deleted. When transferring the files from the named disposable to another qube, they will always appear in the /home/user/QubesIncoming/sys-print/ directory, which is more organized than the other method.
Add another printer for temporary use by doing the following:
Replace qvm-firewall rules for sys-print qube if on a different network (example: public library).
sys-print then Run Terminal.sudo system-config-printer.