refactor: initial commit

salt/sys-rsync/README.md

@@ -0,0 +1,102 @@
+# sys-rsync
+
+Rsync over Qrexec in Qubes OS.
+
+## Table of Contents
+
+* [Description](#description)
+* [Installation](#installation)
+* [Access Control](#access-control)
+* [Usage](#usage)
+  * [Server](#server)
+  * [Client](#client)
+* [Credits](#credits)
+
+## Description
+
+Creates a Rsync server qube named "sys-rsync" to be a central document
+store to which other qubes have access. This is a simple tool that allows
+individual qubes read/write access to the store using Rsync, rather than using
+`qvm-copy` or `qvm-move`.
+
+The greatest problem with SSH is that with large file system, it can freeze
+or be very slow to navigate the directories (not so much with Qrexec as the
+connection does not go over the network) and chroots need to be configured by
+the user.
+
+## Installation
+
+- Top:
+```sh
+qubesctl top.enable sys-rsync
+qubesctl --targets=tpl-sys-rsync,sys-rsync state.apply
+qubesctl top.disable sys-rsync
+```
+
+- State:
+<!-- pkg:begin:post-install -->
+```sh
+qubesctl state.apply sys-rsync.create
+qubesctl --skip-dom0 --targets=tpl-sys-rsync state.apply sys-rsync.install
+qubesctl --skip-dom0 --targets=sys-rsync state.apply sys-rsync.configure
+```
+<!-- pkg:end:post-install -->
+
+Install on the client template:
+```sh
+qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-rsync.install-client
+```
+
+The client qube requires the Rsync forwarder service to be enabled:
+```
+qvm-features QUBE service.rsync-setup 1
+```
+
+## Access Control
+
+A `qusal.Rsync` service is created to allow use of Rsync over Qrexec. The
+default policy `asks` if you want to connect with the `sys-rsync` qube.
+
+If you want to `allow` Rsync between qubes, insert in you user policy file
+`/etc/qubes/policy.d/30-user.policy` to allow the service using the following
+format:
+```qrexecpolicy
+qusal.Rsync * SOURCE @default allow target=TARGET
+```
+
+When the client can change the data on the server, it can also possibly
+compromise the server or at least make it hold malicious files and propagate
+the malicious data with client it is connected to.
+
+## Usage
+
+### Server
+
+The default setting is to have a **read/write** store at `/home/user/shared`,
+and a **read-only** directory at `/home/user/archive`. All the usual Rsync
+configuration options are available and you can create other shared
+directories at will. Additional configuration can be made by editing `.conf`
+files in `/usr/local/etc/rsync.d/*.conf`. Because access appears to come from
+localhost, host control directives will not work.
+
+If you have more than one rsync server qube, you can use
+[bind-dirs](https://www.qubes-os.org/doc/bind-dirs/) to change the available
+folders on each server qube.
+
+### Client
+
+The Rsync connection is available with the socket `localhost:1839`.
+
+Rsync the server `shared` read/write directory:
+```sh
+rsync --port=1839 localhost::shared /LOCAL/PATH/TO/RSYNC
+```
+
+Rsync the server `archive` read-only directory:
+```sh
+rsync --port=1839 localhost::archive /LOCAL/PATH/TO/RSYNC
+```
+
+## Credits
+
+- [Unman](https://github.com/unman/qubes-sync)

salt/sys-rsync/clone.sls

@@ -0,0 +1,8 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% from 'utils/macros/clone-template.sls' import clone_template -%}
+{{ clone_template('debian-minimal', sls_path) }}

salt/sys-rsync/clone.top

@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-rsync.clone

salt/sys-rsync/configure.sls

@@ -0,0 +1,38 @@
+{#
+SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.com>
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+include:
+  - dev.home-cleanup
+
+"{{ slsdotpath }}-start-rsync-on-boot":
+  file.append:
+    - name: /rw/config/rc.local
+    - source: salt://{{ slsdotpath }}/files/server/rc.local
+
+"{{ slsdotpath }}-creates-local-rsync-configuration-dir":
+  file.directory:
+    - name: /usr/local/etc/rsync.d
+    - mode: '0755'
+    - user: root
+    - group: root
+    - makedirs: True
+
+"{{ slsdotpath }}-creates-archive-dir":
+  file.directory:
+    - name: /home/user/archive
+    - mode: '0777'
+    - user: user
+    - group: user
+    - makedirs: True
+
+"{{ slsdotpath }}-creates-shared-dir":
+  file.directory:
+    - name: /home/user/shared
+    - mode: '0777'
+    - user: user
+    - group: user
+    - makedirs: True

salt/sys-rsync/configure.top

@@ -0,0 +1,9 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'sys-rsync':
+    - sys-rsync.configure

salt/sys-rsync/create.sls

@@ -0,0 +1,48 @@
+{#
+SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.com>
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{%- from "qvm/template.jinja" import load -%}
+
+include:
+  - .clone
+
+{% load_yaml as defaults -%}
+name: {{ slsdotpath }}
+force: True
+require:
+- sls: {{ slsdotpath }}.clone
+present:
+- template: tpl-{{ slsdotpath }}
+- label: yellow
+prefs:
+- template: tpl-{{ slsdotpath }}
+- label: yellow
+- netvm: ""
+- vcpus: 1
+- memory: 300
+- maxmem: 600
+- autostart: False
+- include_in_backups: True
+features:
+- enable:
+  - servicevm
+- disable:
+  - service.cups
+  - service.cups-browsed
+- set:
+  - menu-items: "qubes-run-terminal.desktop qubes-start.desktop"
+{%- endload %}
+{{ load(defaults) }}
+
+"{{ slsdotpath }}-resize-private-volume":
+  cmd.run:
+    - name: qvm-volume extend {{ slsdotpath }}:private 40Gi
+    - require:
+      - qvm: {{ slsdotpath }}
+
+{% from 'utils/macros/policy.sls' import policy_set with context -%}
+{{ policy_set(sls_path, '80') }}

salt/sys-rsync/create.top

@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-rsync.create

salt/sys-rsync/files/admin/policy/default.policy

@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+## Do not modify this file, create a new policy with with a lower number in the
+## file name instead. For example `30-user.policy`.
+qusal.Rsync * @anyvm @default ask target={{ sls_path }} default_target={{ sls_path }}
+qusal.Rsync * @anyvm @anyvm   deny
+## vim:ft=qrexecpolicy

salt/sys-rsync/files/client/systemd/qubes-rsync-forwarder.socket

@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+[Unit]
+Description=Forward connection to Rsync over Qrexec
+ConditionPathExists=/var/run/qubes-service/rsync-setup
+
+[Socket]
+ListenStream=127.0.0.1:839
+BindToDevice=lo
+Accept=true
+
+[Install]
+WantedBy=multi-user.target

salt/sys-rsync/files/client/systemd/qubes-rsync-forwarder@.service

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+[Unit]
+Description=Forward connection to Rsync over Qrexec
+
+[Service]
+ExecStart=/usr/bin/qrexec-client-vm @default qusal.Rsync
+StandardInput=socket
+StandardOutput=inherit

salt/sys-rsync/files/server/rc.local

@@ -0,0 +1,2 @@
+systemctl unmask rsync
+systemctl --no-block restart rsync

salt/sys-rsync/files/server/rpc/qusal.Rsync

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+set -eu
+
+exec socat STDIO TCP:localhost:873

salt/sys-rsync/files/server/rsync/rsyncd.conf

@@ -0,0 +1,36 @@
+# rsyncd.conf configuration file
+# vim: ft=toml
+
+# SPDX-FileCopyrightText: 2020 unman <unman@thirdeyesecurity.com>
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# GLOBAL OPTIONS
+
+#motd file=/etc/motd
+#log file=/var/log/rsyncd
+# for pid file, do not use /var/run/rsync.pid if you are going to run rsync out
+# of the init.d script. The init.d script does its own pid file handling, so
+# omit the "pid file" line completely in that case.
+# pid file=/var/run/rsyncd.pid
+#syslog facility=daemon
+#socket options=
+
+port = 873
+
+&merge   /usr/local/etc/rsync.d
+&include /usr/local/etc/rsync.d
+
+
+# MODULE OPTIONS
+
+[shared]
+path = /home/user/shared
+comment = Shared read and write area
+read only = no
+
+[archive]
+path = /home/user/archive
+comment =  Shared read-only area
+read only = yes

salt/sys-rsync/init.top

@@ -0,0 +1,14 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-rsync.create
+  'tpl-sys-rsync':
+    - sys-rsync.install
+  'sys-rsync':
+    - sys-rsync.configure

salt/sys-rsync/install-client.sls

@@ -0,0 +1,36 @@
+{#
+SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.com>
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if grains['nodename'] != 'dom0' -%}
+
+"{{ slsdotpath }}-updated-client":
+  pkg.uptodate:
+    - refresh: True
+
+"{{ slsdotpath }}-installed-client":
+  pkg.installed:
+    - refresh: True
+    - install_recommends: False
+    - skip_suggestions: True
+    - pkgs:
+      - rsync
+
+"{{ slsdotpath }}-client-systemd":
+  file.recurse:
+    - name: /usr/lib/systemd/system/
+    - source: salt://{{ slsdotpath }}/files/client/systemd/
+    - dir_mode: '0755'
+    - file_mode: '0644'
+    - user: root
+    - group: root
+    - makedirs: True
+
+"{{ slsdotpath }}-client-systemd-start-qubes-rsync-forwarder.socket":
+  service.enabled:
+    - name: qubes-rsync-forwarder.socket
+
+{% endif -%}

salt/sys-rsync/install-client.top

@@ -0,0 +1,9 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  '*':
+    - sys-rsync.install-client

salt/sys-rsync/install.sls

@@ -0,0 +1,54 @@
+{#
+SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.com>
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if grains['nodename'] != 'dom0' -%}
+
+"{{ slsdotpath }}-updated":
+  pkg.uptodate:
+    - refresh: True
+
+"{{ slsdotpath }}-installed":
+  pkg.installed:
+    - refresh: True
+    - install_recommends: False
+    - skip_suggestions: True
+    - pkgs:
+      - rsync
+      - socat
+
+"{{ slsdotpath }}-stop-rsync":
+  service.dead:
+    - name: rsync
+
+"{{ slsdotpath }}-disable-rsync":
+  service.disabled:
+    - name: rsync
+
+"{{ slsdotpath }}-mask-rsync":
+  service.masked:
+    - name: rsync
+
+"{{ slsdotpath }}-set-rsyncd.conf":
+  file.managed:
+    - name: /etc/rsyncd.conf
+    - source: salt://{{ slsdotpath }}/files/server/rsync/rsyncd.conf
+    - mode: '0755'
+    - user: root
+    - group: root
+    - makedirs: True
+
+"{{ slsdotpath }}-set-rpc-services":
+  file.recurse:
+    - name: /etc/qubes-rpc/
+    - source: salt://{{ slsdotpath }}/files/server/rpc/
+    - dir_mode: '0755'
+    - file_mode: '0755'
+    - user: root
+    - group: root
+    - makedirs: True
+
+{% endif -%}

salt/sys-rsync/install.top

@@ -0,0 +1,9 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'tpl-sys-rsync':
+  - sys-rsync.install