feat: apply URI changes in qube

Very useful for template based qubes to uninstall the cacher definition
to reach remote repository definitions with direct connection.

https://github.com/ben-grande/qusal/issues/31

salt/sys-cacher/README.md

@@ -10,6 +10,7 @@ Caching proxy server for software repositories in Qubes OS.
   * [Report Page and Maintenance Tasks](#report-page-and-maintenance-tasks)
   * [Connect to the cacher via IP instead of Qrexec](#connect-to-the-cacher-via-ip-instead-of-qrexec)
   * [Non-TemplateVMs integration](#non-templatevms-integration)
+  * [Rewrite URIs inside the qube](#rewrite-uris-inside-the-qube)
 * [Uninstallation](#uninstallation)
 * [Credits](#credits)
 
@@ -87,11 +88,11 @@ browser is compromised, it can compromise the server.
 Because the `sys-cacher` qube is listening on port `8082`, you can use it from
 non-template qubes and qubes that do not have a working Qrexec. Use the native
 configuration to set the update proxy using the IP address of `sys-cacher` by
-setting the cacher as the netvm of the client qube.
+setting `sys-cacher` as the netvm of the client qube.
 
 ### Non-TemplateVMs integration
 
-**Attention**: this method will allow for a client qube to bypass the qubes
+**Attention**: this method will allow a client qube to bypass the qubes
 firewall and connect to a remote via the updates proxy.
 
 By default, only templates will use the proxy to update, if you want to cache
@@ -105,7 +106,7 @@ qvm-features QUBE service.updates-proxy-setup 1
 Don't forget to restart the qube.
 
 If you don't want or can't restart the qube, such as DispVMs, where you would
-lose you session, run the same commands as above plus the following inside the
+lose the current session, run the above commands plus the following inside the
 qube:
 ```sh
 sudo touch /var/run/qubes-service/updates-proxy-setup
@@ -113,6 +114,18 @@ sudo /usr/lib/qubes/update-proxy-configs
 sudo systemctl restart qubes-updates-proxy-forwarder.socket
 ```
 
+### Rewrite URIs inside the qube
+
+Sometimes you may want to enable of disable the cacher definition, mostly when
+you are using an AppVM based on a TemplateVM that uses `sys-cacher`, but the
+AppVM should make a direct connection instead of going through the proxy for
+updates.
+
+Use `uninstall` or `install` as argument to the command `apt-cacher-ng-repo`:
+```sh
+sudo apt-cacher-ng-repo uninstal
+```
+
 ## Uninstallation
 
 - Top:

salt/sys-cacher/files/client/bin/apt-cacher-ng-repo

@@ -0,0 +1,106 @@
+#!/bin/sh
+
+# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+set -eu
+
+changes_file="$(mktemp)"
+trap 'rm -f "${changes_file}"' HUP INT QUIT ABRT EXIT
+
+rewrite_repo(){
+  test -n "${2}" || return 1
+  test -f "${repo}" || return 0
+  test -r "${repo}" || return 0
+  test -w "${repo}" || return 0
+  sed -i "s|${1}|${2}|w ${changes_file}" "${repo}"
+}
+
+usage(){
+  echo "Usage: ${0##*/} [install|uninstall]"
+  exit 1
+}
+
+case "${1-}" in
+  install|uninstall) action="${1}";;
+  *) usage;;
+esac
+action="${1}"
+
+if test -e /etc/fedora-release; then
+  ## Fedora
+  for repo in /etc/yum.repos.d/*.repo; do
+    case "${action}" in
+      install)
+        rewrite_repo "baseurl\s*=\s*https://" "baseurl=http://HTTPS///"
+        rewrite_repo "metalink\s*=\s*https://" "metalink=http://HTTPS///"
+        ;;
+      uninstall)
+        rewrite_repo "baseurl\s*=\s*http://HTTPS///" "baseurl=https://"
+        rewrite_repo "metalink\s*=\s*http://HTTPS///" "metalink=https://"
+        ;;
+      esac
+  done
+  for repo in /etc/yum.repos.d/rpmfusion*.repo; do
+    case "${action}" in
+      install)
+        rewrite_repo "^\s*#.*baseurl" "baseurl"
+        rewrite_repo "^\s*metalink\s*=\s*" "#metalink="
+        ;;
+      uninstall)
+        rewrite_repo "^\s*baseurl" "#baseurl"
+        rewrite_repo "^\s*#.*metalink\s*=" "metalink="
+        ;;
+    esac
+  done
+
+elif test -e /etc/debian_version && test ! -e /usr/share/whonix/marker; then
+  ## Debian but not Whonix.
+  for repo in \
+    /etc/apt/sources.list \
+    /etc/apt/sources.list.d/*.list \
+    /etc/apt/sources.list.d/*.sources
+  do
+    case "${action}" in
+      install)
+        rewrite_repo "URIs:\s*https://" "URIs: http://HTTPS///"
+        rewrite_repo "^\s*\(#*\)\s*deb\(.*\)https://" "\1deb\2http://HTTPS///"
+        ;;
+      uninstall)
+        rewrite_repo "URIs:\s*http://HTTPS///" "URIs: https://"
+        rewrite_repo "^\s*\(#*\)\s*deb\(.*\)http://HTTPS///" "\1deb\2https://"
+        ;;
+    esac
+  done
+
+elif test -e /etc/arch-release; then
+  ## Archlinux
+  for repo in \
+    /etc/pacman.d/mirrorlist \
+    /etc/pacman.d/*.conf \
+    /etc/pacman.d/*.conf.disabled
+  do
+    case "${action}" in
+      install)
+        rewrite_repo "Server\s*=\s*https://" "Server = http://HTTPS///"
+        ;;
+      uninstall)
+        rewrite_repo "Server\s*=\s*http://HTTPS///" "Server = https://"
+        ;;
+    esac
+  done
+
+else
+  echo "Cacher does not support your Operating System distribution." >&2
+  exit 1
+fi
+
+## Stateful cmd module.
+echo
+if test -s "${changes_file}"; then
+  echo "changed=yes comment='URIs have been modified'"
+else
+  echo "changed=no comment='URIs remained untouched'"
+fi
+exit

salt/sys-cacher/install-client.sls

@@ -4,71 +4,17 @@ SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.co
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-{% if grains['os_family']|lower == 'debian' -%}
-{% if not salt['file.file_exists']('/usr/share/whonix/marker') -%}
-{% for repo in salt['file.find']('/etc/apt/sources.list.d/', name='*(list|sources)') -%}
- "{{ repo }}_baseurl":
-   file.replace:
-     - name: {{ repo }}
-     - pattern: 'https://'
-     - repl: 'http://HTTPS///'
-     - flags: [ 'IGNORECASE', 'MULTILINE' ]
-     - backup: False
-{% endfor -%}
+"{{ slsdotpath }}-install-client-tool":
+  file.managed:
+    - name: /usr/bin/apt-cacher-ng-repo
+    - source: salt://{{ slsdotpath }}/files/client/bin/apt-cacher-ng-repo
+    - mode: "0755"
+    - group: root
+    - user: root
+    - makedirs: True
 
-  "/etc/apt/sources.list":
-    file.replace:
-      - name: /etc/apt/sources.list
-      - pattern: 'https:'
-      - repl: 'http://HTTPS/'
-      - flags: [ 'IGNORECASE', 'MULTILINE' ]
-      - backup: False
-      - ignore_if_missing: True
-{% endif -%}
-
-{% elif grains['os_family']|lower == 'arch' -%}
-  "pacman":
-    file.replace:
-      - names:
-        - /etc/pacman.d/mirrorlist
-        - /etc/pacman.d/99-qubes-repository-4.1.conf.disabled
-      - pattern: 'https:'
-      - repl: 'http://HTTPS/'
-      - flags: [ 'IGNORECASE', 'MULTILINE' ]
-      - backup: False
-
-{% elif grains['os_family']|lower == 'redhat' -%}
-{% for repo in salt['file.find']('/etc/yum.repos.d/', name='*repo') -%}
-"{{ repo }}_baseurl":
-  file.replace:
-    - name: {{ repo }}
-    - pattern: 'baseurl(.*)https://'
-    - repl: 'baseurl\1http://HTTPS///'
-    - flags: [ 'IGNORECASE', 'MULTILINE' ]
-    - backup: False
-
-"{{ repo }}_metalink":
-  file.replace:
-    - name: {{ repo }}
-    - pattern: 'metalink=https://(.*)'
-    - repl: 'metalink=http://HTTPS///\1'
-    - flags: [ 'IGNORECASE', 'MULTILINE' ]
-    - backup: False
-{% endfor -%}
-
-{% for repo in salt['file.find']('/etc/yum.repos.d/', name='rpmfusion*repo*') -%}
-"{{ repo }}_uncomment":
-  file.uncomment:
-    - name: {{ repo }}
-    - regex: '.*baseurl(.*)'
-    - backup: False
-
-"{{ repo }}_comment":
-  file.comment:
-    - name: {{ repo }}
-    - regex: '^metalink=http(.*)'
-    - ignore_missing: True
-    - backup: False
-
-{% endfor -%}
-{% endif -%}
+"{{ slsdotpath }}-install-client-https":
+  cmd.run:
+    - name: apt-cacher-ng-repo install
+    - stateful: True
+    - runas: root

salt/sys-cacher/uninstall-client.sls

@@ -4,54 +4,8 @@ SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-{% if grains['os_family']|lower == 'debian' -%}
-{% for repo in salt['file.find']('/etc/apt/sources.list.d/', name='*(list|sources)') -%}
-  "{{ repo }}_baseurl":
-      file.replace:
-        - name: {{ repo }}
-        - pattern: 'http://HTTPS/'
-        - repl: 'https:'
-        - flags: [ 'IGNORECASE', 'MULTILINE' ]
-        - backup: False
-{% endfor -%}
-
-  "/etc/apt/sources.list":
-    file.replace:
-      - name: /etc/apt/sources.list
-      - pattern: 'http://HTTPS/'
-      - repl: 'https:'
-      - flags: [ 'IGNORECASE', 'MULTILINE' ]
-      - backup: False
-
-{% elif grains['os_family']|lower == 'arch' -%}
-  "pacman":
-    file.replace:
-      - names:
-        - /etc/pacman.d/mirrorlist
-        - /etc/pacman.d/99-qubes-repository-4.1.conf.disabled
-      - pattern: 'http://HTTPS///'
-      - repl: 'https://'
-      - flags: [ 'IGNORECASE', 'MULTILINE' ]
-      - backup: False
-
-
-{% elif grains['os_family']|lower == 'redhat' -%}
-{% for repo in salt['file.find']('/etc/yum.repos.d/', name='*repo*') -%}
-"{{ repo }}_baseurl":
-  file.replace:
-    - name: {{ repo }}
-    - pattern: 'baseurl(.*)http://HTTPS/'
-    - repl: 'baseurl\1https:'
-    - flags: [ 'IGNORECASE', 'MULTILINE' ]
-    - backup: False
-
-"{{ repo }}_metalink":
-  file.replace:
-    - name: {{ repo }}
-    - pattern: 'metalink=http://HTTPS///(.*)'
-    - repl: 'metalink=https://\1'
-    - flags: [ 'IGNORECASE', 'MULTILINE' ]
-    - backup: False
-
-{% endfor -%}
-{% endif -%}
+"{{ slsdotpath }}-uninstall-client-https":
+  cmd.run:
+    - name: apt-cacher-ng-repo uninstall
+    - stateful: True
+    - runas: root