I have finally succeeded in setting up printing in Qubes OS, and I would like to share my process.

I have created the following:

• Print template based on Debian-11-minimal

• disposable template configured for IPPS encrypted printing to my printer

• named-disposable qube based on the disposable template (not required, but useful for copying multiple files to a single print qube)

Below are the two scripts that I made to accomplish this. The scripts were created in dom0 and are meant to be executed in dom0. Please read the comments to understand if and when user action is required, as well as the sections to be edited to your needs.

Script for creating the template:

>#!/bin/bash > >SOURCE_TEMPLATE=debian-11-minimal PRINT_TEMPLATE=deb11-min-print STORAGE_QUBE=vault > ># Clone debian-11-minimal template: qvm-clone $SOURCE_TEMPLATE $PRINT_TEMPLATE > ># Install necessary packages in deb11-min-print template: qvm-run -u root --pass-io $PRINT_TEMPLATE 'apt-get install --no-install-recommends cups eog evince gedit ink libusb-0.1-4 nautilus qubes-core-agent-networking qubes-core-agent-passwordless-root simple-scan system-config-printer -y' > ># If your printer(s) requires the installation of additional drivers, uncomment the commands below.

#Copy any drivers required for your printer(s) from your STORAGE_QUBE specified at the top of this script:

#

#qvm-run --pass-io $STORAGE_QUBE 'qvm-copy /home/user/printer-drivers/*' # # Install printer drivers (adjust commands below to your needs): # #qvm-run -u root --pass-io $PRINT_TEMPLATE 'dpkg -i --force-all /home/user/QubesIncoming/vault/<DRIVER_1>.deb' # #qvm-run -u root --pass-io $PRINT_TEMPLATE 'dpkg -i --force-all /home/user/QubesIncoming/vault/<DRIVER_2>.deb' # #qvm-run -u root --pass-io $PRINT_TEMPLATE 'dpkg -i --force-all /home/user/QubesIncoming/vault/<DRIVER_3>.deb' # # Optionally remove the QubesIncoming directory: # #qvm-run -u root --pass-io $PRINT_TEMPLATE 'rm -r /home/user/QubesIncoming/' > ># Shutdown deb11-min-print: qvm-shutdown --wait $PRINT_TEMPLATE

Script for creating the disposable template and a named-disposable qube:

>#!/bin/bash > >PRINT_TEMPLATE=deb11-min-print DISPOSABLE_PRINT_TEMPLATE=sys-print-template DISPOSABLE_PRINT_QUBE=sys-print STORAGE_QUBE=vault NETWORK_QUBE=sys-firewall > ># Create disposable template based on deb11-min-print:

qvm-create --class AppVM --template $PRINT_TEMPLATE --prop autostart=false --prop audiovm="" --prop netvm=$NETWORK_QUBE --prop template_for_dispvms=true --prop maxmem=0 --prop memory=400 --label black $DISPOSABLE_PRINT_TEMPLATE

qvm-features $DISPOSABLE_PRINT_TEMPLATE appmenus-dispvm '' > ># Restrict disposable template to local network access using firewall rules (adjust for your own network): qvm-firewall $DISPOSABLE_PRINT_TEMPLATE del --rule-no 0 qvm-firewall $DISPOSABLE_PRINT_TEMPLATE add accept 10.0.0.0/24 qvm-firewall $DISPOSABLE_PRINT_TEMPLATE add drop >

># If you would like to install one or more self-signed certificates generated on printer(s) in order to use IPPS encrypted printing, uncomment the commands below.

# Copy any certificates for your printer(s) from your STORAGE_QUBE specified at the top of this script: #

#qvm-run --pass-io $STORAGE_QUBE 'qvm-copy /home/user/stuff/Qubes/brother/template/certs/*'

# # Move certificates to the proper directory for importing: # #qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo mv /home/user/QubesIncoming/vault/* /usr/local/share/ca-certificates/' # # Optionally remove the QubesIncoming directory: # #qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'rm -r /home/user/QubesIncoming/' # # Import certificates: # #qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo update-ca-certificates' > ># Start the system-config-printer application with root permissions in disposable template: qvm-run -au root $DISPOSABLE_PRINT_TEMPLATE system-config-printer > ># Follow the instructions below to manually configure your printer(s): # # Click the "Add" button in the system-config-printer toolbar to begin adding your printer(s). #

# For IPPS encrypted printing, input the following into text field titled "Enter device URI":

# # ipps://<PRINTER_IP_ADDRESS>:443/ipp # # For standard IPP unencrypted printing: # # ipp://<PRINTER_IP_ADDRESS>:631/ipp # # Click the "Forward" button on the bottom right of the window in order to proceed. # # Select the proper drivers for your printer and click the "Forward" button. # # Verify that the proper drivers have been selected and click the "Forward" button again. # # For IPPS encrypted printing, edit the top text field to match exactly the expected short name of your printer. # # For standard IPP unencrypted printing, this is unnecessary. # # Optionally edit the Description and Location text fields to your preference and click "Apply" on the bottom right of the window in order to finish adding the printer. # # When a window appears with a prompt asking "Would you like to print a test page?" click "Cancel". # # Double-click the new printer item in the system-config-printer application or right-click (secondary-click) the item and select Properties, in order to verify that the information has been correctly applied. # # Click "OK" or "Cancel" to close the Properties window. # # Finally, close the system-config-printer application window. > ># Set Eye Of Gnome (eog) as the default application to open all file types that are supported: qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "[Default Applications]\nimage/ani=org.gnome.eog.desktop" > /home/user/.config/mimeapps.list' qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/avif=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list' qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/bmp=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list' qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/gif=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list' qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/ico=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list' qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/jpeg=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list' qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/pcx=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list' qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/png=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list' qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/pnm=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list' qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/ras=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list' qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/svg=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list' qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/tga=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list' qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/tiff=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list' qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/wbmp=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list' qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/webp=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list' qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/xbm=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list' qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'echo -e "\n[Default Applications]\nimage/xpm=org.gnome.eog.desktop" >> /home/user/.config/mimeapps.list' > ># Create /rw/config/qubes-bind-dirs.d/ directory: qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo mkdir -p /rw/config/qubes-bind-dirs.d' > ># Make /rw/bind-dirs/ sub-directory for the cups program: qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo mkdir -p /rw/bind-dirs/etc/cups/' > ># Copy entire contents of /etc/cups/ directory into the corresponding /rw/bind-dirs/etc/cups/ directory: qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo cp -r /etc/cups/* /rw/bind-dirs/etc/cups/' > ># Create 50_user.conf file in /rw/config/qubes-bind-dirs.d/ directory and add the appropriate information for /etc/cups/ directory: qvm-run -u root --pass-io $DISPOSABLE_PRINT_TEMPLATE "sudo echo -e binds+=\( \'/etc/cups/\' \) > /rw/config/qubes-bind-dirs.d/50_user.conf" > ># If you have installed one or more certificates in order to use IPPS encrypted printing, uncomment the commands below. # # Make /rw/bind-dirs/ sub-directory for /etc/ssl/certs/ directory: # #qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo mkdir -p /rw/bind-dirs/etc/ssl/certs/' # # Make /rw/bind-dirs/ sub-directory for /usr/local/share/ca-certificates/ directory: # #qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo mkdir -p /rw/bind-dirs/usr/local/share/ca-certificates/' # # Copy your certificate(s) from /etc/ssl/certs/ directory into the corresponding /rw/bind-dirs/etc/ssl/certs/ directory (copy and edit this command for additional certificates): # #qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo cp -r /etc/ssl/certs/<YOUR_CERTIFICATE.pem> /rw/bind-dirs/etc/ssl/certs/' # # Copy your certificate(s) from /usr/local/share/ca-certificates/ directory into the corresponding /rw/bind-dirs/usr/local/share/ca-certificates/ directory (copy and edit this command for additional certificates): # #qvm-run --pass-io $DISPOSABLE_PRINT_TEMPLATE 'sudo cp -r /usr/local/share/ca-certificates/<YOUR_CERTIFICATE.crt> /rw/bind-dirs/usr/local/share/ca-certificates/' # # Edit 50_user.conf file in /rw/config/qubes-bind-dirs.d/ directory to add the appropriate information for your certificate(s) located in /etc/ssl/certs/ (copy and edit this command for additional certificates): # #qvm-run -u root --pass-io $DISPOSABLE_PRINT_TEMPLATE "sudo echo -e binds+=\( \'/etc/ssl/certs/<YOUR_CERTIFICATE.pem>\' \) >> /rw/config/qubes-bind-dirs.d/50_user.conf" # # Edit 50_user.conf file in /rw/config/qubes-bind-dirs.d/ directory to add the appropriate information for your certificate(s) located in /usr/local/share/ca-certificates/ (copy and edit this command for additional certificates): # #qvm-run -u root --pass-io $DISPOSABLE_PRINT_TEMPLATE "sudo echo -e binds+=\( \'/usr/local/share/ca-certificates/<YOUR_CERTIFICATE.crt>\' \) >> /rw/config/qubes-bind-dirs.d/50_user.conf" > ># Shutdown disposable template: qvm-shutdown --wait $DISPOSABLE_PRINT_TEMPLATE > ># If you would like the "View In DisposableVM" feature to open the selected file in a disposable print qube, uncomment the command below. This makes printing quicker and more convenient. Simply right-click (secondary-click) any file in any qube, select the "View In DisposableVM" option, and then print the file using either a keyboard command (Ctrl+P) or other option in the program displaying the file. This feature will not work for any qubes that you have manually configured to use a different disposable qube than the system default. # Set disposable template as default disposable template: #qubes-prefs default_dispvm $DISPOSABLE_PRINT_TEMPLATE > ># Create named-disposable service qube (useful if you would like to be able to copy multiple files into one disposable print qube):

qvm-create --class DispVM --template $PRINT_TEMPLATE --prop autostart=false --prop audiovm="" --prop netvm=$NETWORK_QUBE --prop maxmem=0 --prop memory=400 --label black $DISPOSABLE_PRINT_QUBE

qvm-features $DISPOSABLE_PRINT_QUBE appmenus-dispvm 1