qusal/salt/dev/README.md

83 lines
2.6 KiB
Markdown
Raw Normal View History

2023-11-13 09:33:28 -05:00
# dev
Development environment in Qubes OS.
## Table of Contents
* [Description](#description)
* [Installation](#installation)
* [Access Control](#access-control)
2023-11-13 09:33:28 -05:00
* [Usage](#usage)
## Description
Setup a development qube named "dev". Defines the user interactive shell,
installing goodies, applying dotfiles, being client of sys-pgp, sys-git and
2024-06-14 01:42:18 -04:00
sys-ssh-agent. The qube has netvm but can reach remote servers if the policy
allows.
2023-11-13 09:33:28 -05:00
## Installation
- Top
```sh
sudo qubesctl top.enable dev
sudo qubesctl --targets=tpl-dev,dvm-dev,dev state.apply
sudo qubesctl top.disable dev
proxy_target="$(qusal-report-updatevm-origin)"
if test -n "${proxy_target}"; then
sudo qubesctl --skip-dom0 --targets="${proxy_target}" state.apply sys-net.install-proxy
fi
2023-11-13 09:33:28 -05:00
```
- State
<!-- pkg:begin:post-install -->
```sh
sudo qubesctl state.apply dev.create
sudo qubesctl --skip-dom0 --targets=tpl-dev state.apply dev.install
sudo qubesctl --skip-dom0 --targets=dvm-dev state.apply dev.configure-dvm
sudo qubesctl --skip-dom0 --targets=dev state.apply dev.configure
proxy_target="$(qusal-report-updatevm-origin)"
if test -n "${proxy_target}"; then
sudo qubesctl --skip-dom0 --targets="${proxy_target}" state.apply sys-net.install-proxy
fi
2023-11-13 09:33:28 -05:00
```
<!-- pkg:end:post-install -->
The installation will make the Qusal TCP Proxy available in the `updatevm`
(after it is restarted in case it is template based). If you want to have the
proxy available on a `netvm` that is not deployed by Qusal, install the Qusal
TCP proxy on the templates of your `netvm`:
```sh
sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-net.install-proxy
```
Remember to restart the `netvms` after the proxy installation for the changes
to take effect.
## Access Control
_Default policy_: `denies` `all` qubes from calling `qusal.ConnectTCP`
Allow qube `dev` to `connect` to `github.com:22` via `disp-sys-net` but not to
any other host or via any other qube:
```qrexecpolicy
qusal.ConnectTCP +github.com+22 dev @default allow target=disp-sys-net
qusal.ConnectTCP * dev @anyvm deny
```
2023-11-13 09:33:28 -05:00
## Usage
The development qube `dev` can be used for:
- code development;
- building programs;
- signing commits, tags, pushes and verifying with split-gpg;
- fetching and pushing to and from local qube repository with split-git; and
2024-06-14 01:42:18 -04:00
- fetching and pushing to and from remote repository with split-ssh-agent and
without direct network connection, you can open port to the desired SSH or
HTTP server.
As the `dev` qube has no netvm, configure the Qrexec policy to allow or ask
calls to the `qusal.ConnectTCP` RPC service, so the qube can communicate with
a remote repository for example.