qusal/salt/sys-gui-vnc/README.md

# sys-gui-vnc

VNC GUI domain in Qubes OS.

## Table of Contents

*   [Description](#description)
*   [Installation](#installation)
*   [Uninstallation](#uninstallation)
*   [Usage](#usage)

## Description

Setup a VNC GUI domain named "sys-gui-vnc". The qube spawns a VNC server and
you can connect from other qubes to it. It is primarily intended for remote
administration.

## Installation

WARNING: [unfinished formula](../../docs/TROUBLESHOOT.md#no-support-for-unfinished-formulas).

*   Top:

```sh
sudo qubesctl top.enable qvm.sys-gui pillar=True
sudo qubesctl top.enable sys-gui-vnc
sudo qubesctl --targets=tpl-sys-gui,sys-gui-vnc state.apply
sudo qubesctl top.disable sys-gui-vnc
sudo qubesctl state.apply sys-gui-vnc.prefs
```

*   State:

<!-- pkg:begin:post-install -->

```sh
sudo qubesctl top.enable qvm.sys-gui pillar=True
sudo qubesctl state.apply sys-gui-vnc.create
sudo qubesctl --skip-dom0 --targets=tpl-sys-gui state.apply sys-gui-vnc.install
sudo qubesctl --skip-dom0 --targets=sys-gui-vnc state.apply sys-gui-vnc.configure
sudo qubesctl state.apply sys-gui-vnc.prefs
```

<!-- pkg:end:post-install -->

Shutdown all your running qubes as the global property `default_guivm` has
changed to `sys-gui-vnc`.

## Access control

_Default policy_: `any qube` is `denied` to connected to any other qube.

Allow qube `sys-remote` to connect `sys-gui-vnc` on port `5900`:

```qrexecpolicy
qubes.ConnectTCP +5900 sys-remote @default allow target=sys-gui-vnc
qubes.ConnectTCP *     sys-remote @anyvm   deny
```

## Usage

Qubes that have their `guivm` preference set to `sys-gui-vnc`, will use it as
the GUI domain.

It unnecessary to have a `netvm` set for the VNC client qube for testing, but
it is necessary to make the VNC server accessible from remote computers. If
you plan to expose `sys-gui-vnc` to the network, it must have another
authenticated transport such as a `VPN` or `VNC over SSH`.

From a trusted qube that has a VNC client installed, such as
[remmina](../remmina/README.md), bind the port `6000` to the port `5900`
listening on `sys-gui-vnc`:

```sh
qvm-connnect-tcp 6000::5900
```

On the VNC client application, set connection protocol to `VNC` and host to
`127.0.0.1:6000`.

The login credentials are the same used in `dom0`, the first user in the
`qubes` group and the corresponding password.

## Uninstallation

Set Global preference `default_guivm` to `dom0` and disable `autostart` of
`sys-gui-vnc`:

```sh
sudo qubesctl state.apply sys-gui-vnc.cancel
```

You must also revert exposing the VNC server to other qubes and remote hosts:

*   Delete or deny calls to Qrexec policy rules allowing qubes to connect with
    `qubes.ConnectTCP` to `sys-gui-vnc`; and
*   Close firewall ports and disable services that expose the VNC client qube
    to external hosts.
fix: sys-gui-vnc and sys-gui-gpu titles 2024-09-25 14:14:24 -04:00			`# sys-gui-vnc`
feat: add GUI domain formula For: https://github.com/ben-grande/qusal/issues/89 2024-07-18 09:09:02 -04:00
			`VNC GUI domain in Qubes OS.`

			`## Table of Contents`

			`* [Description](#description)`
			`* [Installation](#installation)`
			`* [Uninstallation](#uninstallation)`
			`* [Usage](#usage)`

			`## Description`

			`Setup a VNC GUI domain named "sys-gui-vnc". The qube spawns a VNC server and`
			`you can connect from other qubes to it. It is primarily intended for remote`
			`administration.`

			`## Installation`

			`WARNING: [unfinished formula](../../docs/TROUBLESHOOT.md#no-support-for-unfinished-formulas).`

			`* Top:`

			```sh
			`sudo qubesctl top.enable qvm.sys-gui pillar=True`
			`sudo qubesctl top.enable sys-gui-vnc`
			`sudo qubesctl --targets=tpl-sys-gui,sys-gui-vnc state.apply`
			`sudo qubesctl top.disable sys-gui-vnc`
			`sudo qubesctl state.apply sys-gui-vnc.prefs`
			```

			`* State:`

			`<!-- pkg:begin:post-install -->`

			```sh
			`sudo qubesctl top.enable qvm.sys-gui pillar=True`
			`sudo qubesctl state.apply sys-gui-vnc.create`
			`sudo qubesctl --skip-dom0 --targets=tpl-sys-gui state.apply sys-gui-vnc.install`
			`sudo qubesctl --skip-dom0 --targets=sys-gui-vnc state.apply sys-gui-vnc.configure`
			`sudo qubesctl state.apply sys-gui-vnc.prefs`
			```

			`<!-- pkg:end:post-install -->`

			Shutdown all your running qubes as the global property `default_guivm` has
			changed to `sys-gui-vnc`.

			`## Access control`

			_Default policy_: `any qube` is `denied` to connected to any other qube.

			Allow qube `sys-remote` to connect `sys-gui-vnc` on port `5900`:

			```qrexecpolicy
			`qubes.ConnectTCP +5900 sys-remote @default allow target=sys-gui-vnc`
			`qubes.ConnectTCP * sys-remote @anyvm deny`
			```

			`## Usage`

			Qubes that have their `guivm` preference set to `sys-gui-vnc`, will use it as
			`the GUI domain.`

			It unnecessary to have a `netvm` set for the VNC client qube for testing, but
			`it is necessary to make the VNC server accessible from remote computers. If`
			you plan to expose `sys-gui-vnc` to the network, it must have another
			authenticated transport such as a `VPN` or `VNC over SSH`.

			`From a trusted qube that has a VNC client installed, such as`
			[remmina](../remmina/README.md), bind the port `6000` to the port `5900`
			listening on `sys-gui-vnc`:

			```sh
			`qvm-connnect-tcp 6000::5900`
			```

			On the VNC client application, set connection protocol to `VNC` and host to
			`127.0.0.1:6000`.

			The login credentials are the same used in `dom0`, the first user in the
			`qubes` group and the corresponding password.

			`## Uninstallation`

			Set Global preference `default_guivm` to `dom0` and disable `autostart` of
			`sys-gui-vnc`:

			```sh
			`sudo qubesctl state.apply sys-gui-vnc.cancel`
			```

			`You must also revert exposing the VNC server to other qubes and remote hosts:`

			`* Delete or deny calls to Qrexec policy rules allowing qubes to connect with`
			`qubes.ConnectTCP` to `sys-gui-vnc`; and
			`* Close firewall ports and disable services that expose the VNC client qube`
			`to external hosts.`