From 7faf944964489980f159a5e27b4f96dd64347d43 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Thu, 21 Mar 2024 21:50:02 +0100 Subject: [PATCH] feat: apply URI changes in qube Very useful for template based qubes to uninstall the cacher definition to reach remote repository definitions with direct connection. https://github.com/ben-grande/qusal/issues/31 --- salt/sys-cacher/README.md | 19 +++- .../files/client/bin/apt-cacher-ng-repo | 106 ++++++++++++++++++ salt/sys-cacher/install-client.sls | 80 +++---------- salt/sys-cacher/uninstall-client.sls | 56 +-------- 4 files changed, 140 insertions(+), 121 deletions(-) create mode 100755 salt/sys-cacher/files/client/bin/apt-cacher-ng-repo diff --git a/salt/sys-cacher/README.md b/salt/sys-cacher/README.md index 5d0a242..3390207 100644 --- a/salt/sys-cacher/README.md +++ b/salt/sys-cacher/README.md @@ -10,6 +10,7 @@ Caching proxy server for software repositories in Qubes OS. * [Report Page and Maintenance Tasks](#report-page-and-maintenance-tasks) * [Connect to the cacher via IP instead of Qrexec](#connect-to-the-cacher-via-ip-instead-of-qrexec) * [Non-TemplateVMs integration](#non-templatevms-integration) + * [Rewrite URIs inside the qube](#rewrite-uris-inside-the-qube) * [Uninstallation](#uninstallation) * [Credits](#credits) @@ -87,11 +88,11 @@ browser is compromised, it can compromise the server. Because the `sys-cacher` qube is listening on port `8082`, you can use it from non-template qubes and qubes that do not have a working Qrexec. Use the native configuration to set the update proxy using the IP address of `sys-cacher` by -setting the cacher as the netvm of the client qube. +setting `sys-cacher` as the netvm of the client qube. ### Non-TemplateVMs integration -**Attention**: this method will allow for a client qube to bypass the qubes +**Attention**: this method will allow a client qube to bypass the qubes firewall and connect to a remote via the updates proxy. By default, only templates will use the proxy to update, if you want to cache @@ -105,7 +106,7 @@ qvm-features QUBE service.updates-proxy-setup 1 Don't forget to restart the qube. If you don't want or can't restart the qube, such as DispVMs, where you would -lose you session, run the same commands as above plus the following inside the +lose the current session, run the above commands plus the following inside the qube: ```sh sudo touch /var/run/qubes-service/updates-proxy-setup @@ -113,6 +114,18 @@ sudo /usr/lib/qubes/update-proxy-configs sudo systemctl restart qubes-updates-proxy-forwarder.socket ``` +### Rewrite URIs inside the qube + +Sometimes you may want to enable of disable the cacher definition, mostly when +you are using an AppVM based on a TemplateVM that uses `sys-cacher`, but the +AppVM should make a direct connection instead of going through the proxy for +updates. + +Use `uninstall` or `install` as argument to the command `apt-cacher-ng-repo`: +```sh +sudo apt-cacher-ng-repo uninstal +``` + ## Uninstallation - Top: diff --git a/salt/sys-cacher/files/client/bin/apt-cacher-ng-repo b/salt/sys-cacher/files/client/bin/apt-cacher-ng-repo new file mode 100755 index 0000000..0135cce --- /dev/null +++ b/salt/sys-cacher/files/client/bin/apt-cacher-ng-repo @@ -0,0 +1,106 @@ +#!/bin/sh + +# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +set -eu + +changes_file="$(mktemp)" +trap 'rm -f "${changes_file}"' HUP INT QUIT ABRT EXIT + +rewrite_repo(){ + test -n "${2}" || return 1 + test -f "${repo}" || return 0 + test -r "${repo}" || return 0 + test -w "${repo}" || return 0 + sed -i "s|${1}|${2}|w ${changes_file}" "${repo}" +} + +usage(){ + echo "Usage: ${0##*/} [install|uninstall]" + exit 1 +} + +case "${1-}" in + install|uninstall) action="${1}";; + *) usage;; +esac +action="${1}" + +if test -e /etc/fedora-release; then + ## Fedora + for repo in /etc/yum.repos.d/*.repo; do + case "${action}" in + install) + rewrite_repo "baseurl\s*=\s*https://" "baseurl=http://HTTPS///" + rewrite_repo "metalink\s*=\s*https://" "metalink=http://HTTPS///" + ;; + uninstall) + rewrite_repo "baseurl\s*=\s*http://HTTPS///" "baseurl=https://" + rewrite_repo "metalink\s*=\s*http://HTTPS///" "metalink=https://" + ;; + esac + done + for repo in /etc/yum.repos.d/rpmfusion*.repo; do + case "${action}" in + install) + rewrite_repo "^\s*#.*baseurl" "baseurl" + rewrite_repo "^\s*metalink\s*=\s*" "#metalink=" + ;; + uninstall) + rewrite_repo "^\s*baseurl" "#baseurl" + rewrite_repo "^\s*#.*metalink\s*=" "metalink=" + ;; + esac + done + +elif test -e /etc/debian_version && test ! -e /usr/share/whonix/marker; then + ## Debian but not Whonix. + for repo in \ + /etc/apt/sources.list \ + /etc/apt/sources.list.d/*.list \ + /etc/apt/sources.list.d/*.sources + do + case "${action}" in + install) + rewrite_repo "URIs:\s*https://" "URIs: http://HTTPS///" + rewrite_repo "^\s*\(#*\)\s*deb\(.*\)https://" "\1deb\2http://HTTPS///" + ;; + uninstall) + rewrite_repo "URIs:\s*http://HTTPS///" "URIs: https://" + rewrite_repo "^\s*\(#*\)\s*deb\(.*\)http://HTTPS///" "\1deb\2https://" + ;; + esac + done + +elif test -e /etc/arch-release; then + ## Archlinux + for repo in \ + /etc/pacman.d/mirrorlist \ + /etc/pacman.d/*.conf \ + /etc/pacman.d/*.conf.disabled + do + case "${action}" in + install) + rewrite_repo "Server\s*=\s*https://" "Server = http://HTTPS///" + ;; + uninstall) + rewrite_repo "Server\s*=\s*http://HTTPS///" "Server = https://" + ;; + esac + done + +else + echo "Cacher does not support your Operating System distribution." >&2 + exit 1 +fi + +## Stateful cmd module. +echo +if test -s "${changes_file}"; then + echo "changed=yes comment='URIs have been modified'" +else + echo "changed=no comment='URIs remained untouched'" +fi +exit diff --git a/salt/sys-cacher/install-client.sls b/salt/sys-cacher/install-client.sls index ed6b353..3451961 100644 --- a/salt/sys-cacher/install-client.sls +++ b/salt/sys-cacher/install-client.sls @@ -4,71 +4,17 @@ SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. SPDX-License-Identifier: AGPL-3.0-or-later #} -{% if grains['os_family']|lower == 'debian' -%} -{% for repo in salt['file.find']('/etc/apt/sources.list.d/', name='*(list|sources)') -%} - "{{ repo }}_baseurl": - file.replace: - - name: {{ repo }} - - pattern: 'http://HTTPS/' - - repl: 'https:' - - flags: [ 'IGNORECASE', 'MULTILINE' ] - - backup: False -{% endfor -%} - - "/etc/apt/sources.list": - file.replace: - - name: /etc/apt/sources.list - - pattern: 'http://HTTPS/' - - repl: 'https:' - - flags: [ 'IGNORECASE', 'MULTILINE' ] - - backup: False - -{% elif grains['os_family']|lower == 'arch' -%} - "pacman": - file.replace: - - names: - - /etc/pacman.d/mirrorlist - - /etc/pacman.d/99-qubes-repository-4.1.conf.disabled - - pattern: 'http://HTTPS///' - - repl: 'https://' - - flags: [ 'IGNORECASE', 'MULTILINE' ] - - backup: False - - -{% elif grains['os_family']|lower == 'redhat' -%} -{% for repo in salt['file.find']('/etc/yum.repos.d/', name='*repo*') -%} -"{{ repo }}_baseurl": - file.replace: - - name: {{ repo }} - - pattern: 'baseurl(.*)http://HTTPS/' - - repl: 'baseurl\1https:' - - flags: [ 'IGNORECASE', 'MULTILINE' ] - - backup: False - -"{{ repo }}_metalink": - file.replace: - - name: {{ repo }} - - pattern: 'metalink=http://HTTPS///(.*)' - - repl: 'metalink=https://\1' - - flags: [ 'IGNORECASE', 'MULTILINE' ] - - backup: False - -{% endfor -%} -{% endif -%} +"{{ slsdotpath }}-uninstall-client-https": + cmd.run: + - name: apt-cacher-ng-repo uninstall + - stateful: True + - runas: root