refactor: initial commit

2025-07-25 07:25:27 -04:00 · 2023-11-13 14:33:28 +00:00 · 2023-11-13 14:33:28 +00:00 · 5eebd789ed
commit 5eebd789ed
591 changed files with 18598 additions and 0 deletions
--- a/salt/sys-ssh/README.md
+++ b/salt/sys-ssh/README.md
@ -0,0 +1,96 @@
+# sys-ssh
+
+SSH over Qrexec in Qubes OS.
+
+## Table of Contents
+
+* [Description](#description)
+* [Installation](#installation)
+* [Access Control](#access-control)
+* [Usage](#usage)
+  * [Server](#server)
+  * [Client](#client)
+* [Credits](#credits)
+
+## Description
+
+Creates a SSH server qube named "sys-ssh" to be a central document
+store to which other qubes have access with SSH File Transfer Protocol, using
+the tool sshfs. This is a simple tool that allows individual qubes to mount a
+another qube's filesystem rather than using `qvm-copy` or `qvm-move`.
+
+The greatest problem with the Rsync solution is that it makes copies of the
+files or directories. This may be fine with a small amount of data, but with
+large files, or large numbers of files, there's a significant overhead. SSH
+File Transfer Protocol provides a way for clients to access files on the
+server qube directly.
+
+## Installation
+
+- Top:
+```sh
+qubesctl top.enable sys-ssh
+qubesctl --targets=tpl-sys-ssh,sys-ssh state.apply
+qubesctl top.disable sys-ssh
+```
+
+- State:
+<!-- pkg:begin:post-install -->
+```sh
+qubesctl state.apply sys-ssh.create
+qubesctl --skip-dom0 --targets=tpl-sys-ssh state.apply sys-ssh.install
+qubesctl --skip-dom0 --targets=sys-ssh state.apply sys-ssh.configure
+```
+<!-- pkg:end:post-install -->
+
+Install on the client template:
+```sh
+qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-ssh.install-client
+```
+
+The client qube requires the SSH forwarder service to be enabled:
+```
+qvm-features QUBE service.ssh-setup 1
+```
+
+## Access Control
+
+A `qusal.Ssh` service is created to allow use of SSH over Qrexec. The default
+policy `asks` if you want to connect with the `sys-ssh` qube.
+
+If you want to `allow` SSH between qubes, insert in you user policy
+file `/etc/qubes/policy.d/30-user.policy` to allow the service using the
+following format:
+```qrexecpolicy
+qusal.Ssh   * SOURCE @default allow target=TARGET
+```
+
+When the client can change the data on the server, it can also possibly
+compromise the server or at least make it hold malicious files and propagate
+the malicious data with clients it is connected to.
+
+## Usage
+
+### Server
+
+It is possible to constrain access to files on the server, using (e.g) SSH
+chroots and access control mechanisms. This is left for the user to configure.
+
+Passwordless login through empty passwords are allowed when the host matches
+127.0.0.1, it makes no sense to restrict the access if the Qrexec call was
+already permitted.
+
+### Client
+
+The SSH connection is available with the socket `localhost:1840`.
+
+From the client, mount the server `/home/user` directory as a SSH File System
+in the client `/home/user/sshfs` directory:
+```sh
+mkdir ~/sshfs
+sshfs -p 1840 localhost:/home/user /home/user/sshfs
+```
+
+## Credits
+
+- [Unman](https://github.com/unman/qubes-sync)
--- a/salt/sys-ssh/clone.sls
+++ b/salt/sys-ssh/clone.sls
@ -0,0 +1,8 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% from 'utils/macros/clone-template.sls' import clone_template -%}
+{{ clone_template('debian-minimal', sls_path) }}
--- a/salt/sys-ssh/clone.top
+++ b/salt/sys-ssh/clone.top
@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-ssh.clone
--- a/salt/sys-ssh/configure.sls
+++ b/salt/sys-ssh/configure.sls
@ -0,0 +1,26 @@
+{#
+SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.com>
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if grains['nodename'] != 'dom0' -%}
+
+include:
+  - dev.home-cleanup
+
+"{{ slsdotpath }}-start-ssh-on-boot":
+  file.append:
+    - name: /rw/config/rc.local
+    - source: salt://{{ slsdotpath }}/files/server/rc.local
+
+"{{ slsdotpath }}-creates-home-ssh-dir":
+  file.directory:
+    - name: /home/user/.ssh
+    - mode: '0700'
+    - user: user
+    - group: user
+    - makedirs: True
+
+{% endif -%}
--- a/salt/sys-ssh/configure.top
+++ b/salt/sys-ssh/configure.top
@ -0,0 +1,9 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'sys-ssh':
+    - sys-ssh.configure
--- a/salt/sys-ssh/create.sls
+++ b/salt/sys-ssh/create.sls
@ -0,0 +1,48 @@
+{#
+SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.com>
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{%- from "qvm/template.jinja" import load -%}
+
+include:
+  - .clone
+
+{% load_yaml as defaults -%}
+name: {{ slsdotpath }}
+force: True
+require:
+- sls: {{ slsdotpath }}.clone
+present:
+- template: tpl-{{ slsdotpath }}
+- label: yellow
+prefs:
+- template: tpl-{{ slsdotpath }}
+- label: yellow
+- netvm: ""
+- vcpus: 1
+- memory: 300
+- maxmem: 600
+- autostart: False
+- include_in_backups: True
+features:
+- enable:
+  - servicevm
+- disable:
+  - service.cups
+  - service.cups-browsed
+- set:
+  - menu-items: "qubes-run-terminal.desktop qubes-start.desktop"
+{%- endload %}
+{{ load(defaults) }}
+
+"{{ slsdotpath }}-resize-private-volume":
+  cmd.run:
+    - name: qvm-volume extend {{ slsdotpath }}:private 40Gi
+    - require:
+      - qvm: {{ slsdotpath }}
+
+{% from 'utils/macros/policy.sls' import policy_set with context -%}
+{{ policy_set(sls_path, '80') }}
--- a/salt/sys-ssh/create.top
+++ b/salt/sys-ssh/create.top
@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-ssh.create
--- a/salt/sys-ssh/files/admin/policy/default.policy
+++ b/salt/sys-ssh/files/admin/policy/default.policy
@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+## Do not modify this file, create a new policy with with a lower number in the
+## file name instead. For example `30-user.policy`.
+qusal.Ssh * @anyvm @default ask target={{ sls_path }} default_target={{ sls_path }}
+qusal.Ssh * @anyvm @anyvm   deny
+## vim:ft=qrexecpolicy
--- a/salt/sys-ssh/files/client/systemd/qubes-ssh-forwarder.socket
+++ b/salt/sys-ssh/files/client/systemd/qubes-ssh-forwarder.socket
@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+[Unit]
+Description=Forward connection to SSH over Qrexec
+ConditionPathExists=/var/run/qubes-service/ssh-setup
+
+[Socket]
+ListenStream=127.0.0.1:840
+BindToDevice=lo
+Accept=true
+
+[Install]
+WantedBy=multi-user.target
--- a/salt/sys-ssh/files/client/systemd/qubes-ssh-forwarder@.service
+++ b/salt/sys-ssh/files/client/systemd/qubes-ssh-forwarder@.service
@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+[Unit]
+Description=Forward connection to SSH over Qrexec
+
+[Service]
+ExecStart=/usr/bin/qrexec-client-vm @default qusal.Ssh
+StandardInput=socket
+StandardOutput=inherit
--- a/salt/sys-ssh/files/server/rc.local
+++ b/salt/sys-ssh/files/server/rc.local
@ -0,0 +1,2 @@
+systemctl unmask ssh
+systemctl --no-block restart ssh
--- a/salt/sys-ssh/files/server/rpc/qusal.Ssh
+++ b/salt/sys-ssh/files/server/rpc/qusal.Ssh
@ -0,0 +1,9 @@
+#!/bin/sh
+
+# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+set -eu
+
+exec socat STDIO TCP:localhost:22
--- a/salt/sys-ssh/files/server/sshd_config.d/sys-ssh.conf
+++ b/salt/sys-ssh/files/server/sshd_config.d/sys-ssh.conf
@ -0,0 +1,9 @@
+# vim: ft=sshdconfig
+
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+Match User user Host 127.0.0.1
+      PermitEmptyPasswords yes
+      AuthenticationMethods none
--- a/salt/sys-ssh/init.top
+++ b/salt/sys-ssh/init.top
@ -0,0 +1,14 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-ssh.create
+  'tpl-sys-ssh':
+    - sys-ssh.install
+  'sys-ssh':
+    - sys-ssh.configure
--- a/salt/sys-ssh/install-client.sls
+++ b/salt/sys-ssh/install-client.sls
@ -0,0 +1,47 @@
+{#
+SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.com>
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if grains['nodename'] != 'dom0' -%}
+
+include:
+  - sys-ssh-agent.install-client
+
+"{{ slsdotpath }}-updated-client":
+  pkg.uptodate:
+    - refresh: True
+
+{% set pkg = {
+    'Debian': {
+      'pkg': ['sshfs'],
+    },
+    'RedHat': {
+      'pkg': ['fuse-sshfs'],
+    },
+}.get(grains.os_family) -%}
+
+"{{ slsdotpath }}-installed-client-os-specific":
+  pkg.installed:
+    - refresh: True
+    - install_recommends: False
+    - skip_suggestions: True
+    - pkgs: {{ pkg.pkg|sequence|yaml }}
+
+"{{ slsdotpath }}-client-systemd":
+  file.recurse:
+    - name: /usr/lib/systemd/system/
+    - source: salt://{{ slsdotpath }}/files/client/systemd/
+    - dir_mode: '0755'
+    - file_mode: '0644'
+    - user: root
+    - group: root
+    - makedirs: True
+
+"{{ slsdotpath }}-client-systemd-start-qubes-ssh-forwarder.socket":
+  service.enabled:
+    - name: qubes-ssh-forwarder.socket
+
+{% endif -%}
--- a/salt/sys-ssh/install-client.top
+++ b/salt/sys-ssh/install-client.top
@ -0,0 +1,9 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  '*':
+    - sys-ssh.install-client
--- a/salt/sys-ssh/install.sls
+++ b/salt/sys-ssh/install.sls
@ -0,0 +1,54 @@
+{#
+SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.com>
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if grains['nodename'] != 'dom0' -%}
+
+"{{ slsdotpath }}-updated":
+  pkg.uptodate:
+    - refresh: True
+
+"{{ slsdotpath }}-installed":
+  pkg.installed:
+    - refresh: True
+    - install_recommends: False
+    - skip_suggestions: True
+    - pkgs:
+      - openssh-server
+      - socat
+
+"{{ slsdotpath }}-stop-ssh":
+  service.dead:
+    - name: ssh
+
+"{{ slsdotpath }}-disable-ssh":
+  service.disabled:
+    - name: ssh
+
+"{{ slsdotpath }}-mask-ssh":
+  service.masked:
+    - name: ssh
+
+"{{ slsdotpath }}-set-rpc-services":
+  file.recurse:
+    - name: /etc/qubes-rpc/
+    - source: salt://{{ slsdotpath }}/files/server/rpc/
+    - dir_mode: '0755'
+    - file_mode: '0755'
+    - user: root
+    - group: root
+    - makedirs: True
+
+"{{ slsdotpath }}-sshd-config":
+  file.managed:
+    - name: /etc/ssh/sshd_config.d/{{ slsdotpath }}.conf
+    - source: salt://{{ slsdotpath }}/files/server/ssh_config.d/{{ slsdotpath }}.conf
+    - mode: '0755'
+    - user: root
+    - group: root
+    - makedirs: True
+
+{% endif -%}
--- a/salt/sys-ssh/install.top
+++ b/salt/sys-ssh/install.top
@ -0,0 +1,9 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'tpl-sys-ssh':
+  - sys-ssh.install