mirror of
https://github.com/ben-grande/qusal.git
synced 2024-12-23 14:39:23 -05:00
refactor: prefer systemd sockets over socat
- Document preferred method for socket use depending on use case; - Fix Github web-flow key; - Standardize naming of services; - Use sys-ssh in ansible formula; - Start services conditionally with Qubes Service and evaluated by systemd ConditionPathExists= instead of installing on a per qube basis with rc.local scripts; - Change Qusal services to "qusal-" prefix instead of "qubes-" prefix. Fixes: https://github.com/ben-grande/qusal/issues/80 Fixes: https://github.com/ben-grande/qusal/issues/79
This commit is contained in:
parent
3880a35cfa
commit
9c280689d8
@ -14,8 +14,10 @@ Qusal design document.
|
||||
* [Qube naming](#qube-naming)
|
||||
* [Qube label](#qube-label)
|
||||
* [Qube menu](#qube-menu)
|
||||
* [Qube features](#qube-features)
|
||||
* [Qube connections](#qube-connections)
|
||||
* [Qrexec call and policy](#qrexec-call-and-policy)
|
||||
* [Qrexec socket services](#qrexec-socket-services)
|
||||
|
||||
## Goal
|
||||
|
||||
@ -167,6 +169,21 @@ building software is risky, the user trying to open a file manager on a qube
|
||||
that doesn't have one is less risky but for the user the behavior is
|
||||
unexpected.
|
||||
|
||||
### Qube features
|
||||
|
||||
Control daemons using Qubes Services. It is much better to control services
|
||||
this way as we can declare during the creation of qubes instead of having to
|
||||
add a state to run a script during boot to unmask and start a specific
|
||||
service. The method below is most of the times combined with `systemd.unit`
|
||||
`ConditionPathExists=` to enable the service conditionally.
|
||||
|
||||
- Server's service name must match the syntax: `service-server` (example:
|
||||
`rsync-server`, `syncthing-server`);
|
||||
- Client's service name must match the syntax: `service-client` (example:
|
||||
`ssh-client`;
|
||||
- Local program's service name must match the syntax: `service` (example:
|
||||
`docker`, `podman`.
|
||||
|
||||
### Qube connections
|
||||
|
||||
There are several ways a qube can connect to another, either directly with
|
||||
@ -202,3 +219,40 @@ Xen or with Qrexec. If something is not required, we remove it.
|
||||
`qrexec-client-vm`.
|
||||
3. Target qube for client script must default to `@default`, but other targets
|
||||
must be allowed via parameters.
|
||||
|
||||
### Qrexec socket services
|
||||
|
||||
Native Qrexec TCP sockets `/dev/tcp` using `qubes.ConnectTCP` are very handy
|
||||
to connect to a port of a qube. The downside of using `qubes.ConnectTCP`
|
||||
directly is the user doesn't want or need to know in which port the client
|
||||
wants to connect in the server. We will refer to Unix Domains Sockets as
|
||||
`UDS`.
|
||||
|
||||
Using `qusal.Service`, such as `qusal.Rsync`, `qusal.Syncthing`, `qusal.Ssh`
|
||||
has the following advantages:
|
||||
|
||||
- Usability: User recognizes the call per service name;
|
||||
- Extensibility: Allows extending functionality for arguments added in the
|
||||
future, no need to migrate user policy from `qubes.ConnectTCP`;
|
||||
is not necessary;
|
||||
|
||||
Rules for server RPC service:
|
||||
|
||||
- Symlink `qubes.ConnectTCP` to `qusal.Service` if connecting to a local port;
|
||||
- Use `qubes.ConnectTCP` directly when the user won't manage the policy for
|
||||
the wanted call, such as `sys-syncthing-browser`, where it happens that only
|
||||
this qube will access the admin interface of `sys-syncthing`;
|
||||
- Use `socat` to connect to remote hosts or UDS with path defined by the
|
||||
service argument.
|
||||
|
||||
Rules for client RPC call:
|
||||
|
||||
- Use `systemd.socket` units, it does not require `socat`, it is not
|
||||
restricted to the use of `qubes.ConnectTCP` called by `qvm-connect-tcp`, the
|
||||
service can be properly logged and status verified by a service manager
|
||||
instead of forking socat to the background with a `rc.local` script and
|
||||
finally, can be controlled by Qubes Services to enable or disable the unit
|
||||
with `ConditionPathExists=` instead of doing if-else statements in
|
||||
`rc.local`;
|
||||
- Use of `socat` and `qvm-connect-tcp` is permitted for UDS and for
|
||||
instructional use as it is very short.
|
||||
|
@ -69,12 +69,10 @@ stages:
|
||||
gpg-client: gpg
|
||||
|
||||
sign-key:
|
||||
rpm:
|
||||
- DF3834875B65758713D92E91A475969DE4E371E3
|
||||
rpm: DF3834875B65758713D92E91A475969DE4E371E3
|
||||
|
||||
#repository-publish:
|
||||
# components: current-testing
|
||||
repository-publish:
|
||||
components: current-testing
|
||||
|
||||
#repository-upload-remote-host:
|
||||
# rpm: user@yum.qubes-os.org:/some/path
|
||||
# deb: user@deb.qubes-os.org:/another/path
|
||||
# repository-upload-remote-host:
|
||||
# rpm: user@yum.example.org:/some/path
|
||||
|
@ -30,7 +30,9 @@ BuildArch: noarch
|
||||
|
||||
Requires: qubes-mgmt-salt
|
||||
Requires: qubes-mgmt-salt-dom0
|
||||
Requires: qusal-dotfiles
|
||||
Requires: qusal-ssh
|
||||
Requires: qusal-sys-ssh
|
||||
Requires: qusal-utils
|
||||
|
||||
|
||||
@ -73,8 +75,6 @@ if test "$1" = "1"; then
|
||||
## Install
|
||||
qubesctl state.apply ansible.create
|
||||
qubesctl --skip-dom0 --targets=tpl-ansible state.apply ansible.install
|
||||
qubesctl --skip-dom0 --targets=ansible state.apply ansible.configure,zsh.touch-zshrc
|
||||
qubesctl --skip-dom0 --targets=ansible-minion state.apply ansible.configure-minion,zsh.touch-zshrc
|
||||
elif test "$1" = "2"; then
|
||||
## Upgrade
|
||||
true
|
||||
@ -107,6 +107,9 @@ fi
|
||||
%dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
|
||||
|
||||
%changelog
|
||||
* Tue Jun 25 2024 Ben Grande <ben.grande.b@gmail.com> - 3880a35
|
||||
- fix: ansible references legacy zsh state
|
||||
|
||||
* Mon Jun 24 2024 Ben Grande <ben.grande.b@gmail.com> - ab1438f
|
||||
- fix: change Launchpad repository to HTTPS domain
|
||||
|
||||
|
@ -72,7 +72,6 @@ cp -rv salt/%{project} %{buildroot}/srv/salt/qusal/%{name}
|
||||
if test "$1" = "1"; then
|
||||
## Install
|
||||
qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply docker.install
|
||||
qubesctl --skip-dom0 --targets=qubes-builder state.apply docker.configure
|
||||
elif test "$1" = "2"; then
|
||||
## Upgrade
|
||||
true
|
||||
|
@ -114,6 +114,9 @@ fi
|
||||
%dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
|
||||
|
||||
%changelog
|
||||
* Tue Jun 25 2024 Ben Grande <ben.grande.b@gmail.com> - 4facf45
|
||||
- feat: use native TCP socket with Qrexec
|
||||
|
||||
* Fri Jun 21 2024 Ben Grande <ben.grande.b@gmail.com> - c84dfea
|
||||
- fix: generate RPM Specs for Qubes Builder V2
|
||||
|
||||
|
@ -111,6 +111,9 @@ fi
|
||||
%dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
|
||||
|
||||
%changelog
|
||||
* Tue Jun 25 2024 Ben Grande <ben.grande.b@gmail.com> - 4facf45
|
||||
- feat: use native TCP socket with Qrexec
|
||||
|
||||
* Fri Jun 21 2024 Ben Grande <ben.grande.b@gmail.com> - c84dfea
|
||||
- fix: generate RPM Specs for Qubes Builder V2
|
||||
|
||||
|
@ -114,6 +114,9 @@ fi
|
||||
%dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
|
||||
|
||||
%changelog
|
||||
* Tue Jun 25 2024 Ben Grande <ben.grande.b@gmail.com> - 4facf45
|
||||
- feat: use native TCP socket with Qrexec
|
||||
|
||||
* Fri Jun 21 2024 Ben Grande <ben.grande.b@gmail.com> - c84dfea
|
||||
- fix: generate RPM Specs for Qubes Builder V2
|
||||
|
||||
|
@ -30,7 +30,6 @@ BuildArch: noarch
|
||||
|
||||
Requires: qubes-mgmt-salt
|
||||
Requires: qubes-mgmt-salt-dom0
|
||||
Requires: qusal-dev
|
||||
Requires: qusal-sys-ssh-agent
|
||||
Requires: qusal-utils
|
||||
|
||||
@ -83,7 +82,6 @@ if test "$1" = "1"; then
|
||||
## Install
|
||||
qubesctl state.apply sys-ssh.create
|
||||
qubesctl --skip-dom0 --targets=tpl-sys-ssh state.apply sys-ssh.install
|
||||
qubesctl --skip-dom0 --targets=sys-ssh state.apply sys-ssh.configure
|
||||
elif test "$1" = "2"; then
|
||||
## Upgrade
|
||||
true
|
||||
@ -116,6 +114,9 @@ fi
|
||||
%dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
|
||||
|
||||
%changelog
|
||||
* Tue Jun 25 2024 Ben Grande <ben.grande.b@gmail.com> - 4facf45
|
||||
- feat: use native TCP socket with Qrexec
|
||||
|
||||
* Mon Jun 24 2024 Ben Grande <ben.grande.b@gmail.com> - 22e2a2e
|
||||
- chore: add copyright to systemd services
|
||||
|
||||
|
@ -96,7 +96,6 @@ if test "$1" = "0"; then
|
||||
## Uninstall
|
||||
qvm-port-forward -a del -q sys-syncthing -n tcp -p 22000
|
||||
qvm-port-forward -a del -q sys-syncthing -n udp -p 22000
|
||||
qubesctl --skip-dom0 --targets=sys-syncthing state.apply sys-syncthing.cancel
|
||||
qubesctl state.apply sys-syncthing.clean
|
||||
elif test "$1" = "1"; then
|
||||
## Upgrade
|
||||
@ -121,6 +120,9 @@ fi
|
||||
%dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
|
||||
|
||||
%changelog
|
||||
* Tue Jun 25 2024 Ben Grande <ben.grande.b@gmail.com> - 4facf45
|
||||
- feat: use native TCP socket with Qrexec
|
||||
|
||||
* Mon Jun 24 2024 Ben Grande <ben.grande.b@gmail.com> - 22e2a2e
|
||||
- chore: add copyright to systemd services
|
||||
|
||||
|
@ -26,28 +26,13 @@ sudo qubesctl top.disable ansible
|
||||
```sh
|
||||
sudo qubesctl state.apply ansible.create
|
||||
sudo qubesctl --skip-dom0 --targets=tpl-ansible state.apply ansible.install
|
||||
sudo qubesctl --skip-dom0 --targets=ansible state.apply ansible.configure
|
||||
sudo qubesctl --skip-dom0 --targets=ansible-minion state.apply ansible.configure-minion
|
||||
```
|
||||
<!-- pkg:end:post-install -->
|
||||
|
||||
## Usage
|
||||
|
||||
Configure the control node `ansible`:
|
||||
```sh
|
||||
ssh-keygen -t ed25519 -N "" -f ~/.ssh/id_ansible
|
||||
qvm-copy ~/.ssh/id_ansible.pub
|
||||
```
|
||||
Select `ansible-minion` as the target qube for the copy operation.
|
||||
|
||||
Configure the minion `ansible-minion`:
|
||||
```sh
|
||||
mkdir -m 0700 ~/.ssh
|
||||
cat ~/QubesIncoming/ansible/id_ansible.pub >> ~/.ssh/authorized_keys
|
||||
```
|
||||
|
||||
From the control node `ansible`, test connection to the minion
|
||||
From the control node `ansible`, test connection to the managed node
|
||||
`ansible-minion`:
|
||||
```sh
|
||||
ssh minion
|
||||
ssh -p 1840 user@127.0.0.1
|
||||
```
|
||||
|
@ -1,30 +0,0 @@
|
||||
{#
|
||||
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#}
|
||||
|
||||
{% if grains['nodename'] != 'dom0' -%}
|
||||
|
||||
include:
|
||||
- utils.tools.zsh.touch-zshrc
|
||||
|
||||
"{{ slsdotpath }}-minion-start-sshd":
|
||||
file.managed:
|
||||
- name: /rw/config/rc.local.d/50-ansible.rc
|
||||
- source: salt://{{ slsdotpath }}/files/client/rc.local.d/50-ansible.rc
|
||||
- mode: '0755'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-minion-ssh-authorized_keys":
|
||||
file.touch:
|
||||
- name: /home/user/.ssh/authorized_keys
|
||||
- dir_mode: '0700'
|
||||
- file_mode: '0600'
|
||||
- user: user
|
||||
- group: user
|
||||
- makedirs: True
|
||||
|
||||
{% endif -%}
|
@ -1,9 +0,0 @@
|
||||
{#
|
||||
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#}
|
||||
|
||||
base:
|
||||
'ansible':
|
||||
- ansible.configure-minion
|
@ -1,31 +0,0 @@
|
||||
{#
|
||||
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#}
|
||||
|
||||
{% if grains['nodename'] != 'dom0' -%}
|
||||
|
||||
include:
|
||||
- utils.tools.zsh.touch-zshrc
|
||||
|
||||
"{{ slsdotpath }}-autostart-ssh-over-qrexec":
|
||||
file.managed:
|
||||
- name: /rw/config/rc.local.d/50-ansible.rc
|
||||
- source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-ansible.rc
|
||||
- mode: '0755'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-ssh-config":
|
||||
file.managed:
|
||||
- name: /home/user/.ssh/config
|
||||
- source: salt://{{ slsdotpath }}/files/server/ssh-config
|
||||
- file_mode: '0600'
|
||||
- dir_mode: '0700'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
{% endif -%}
|
@ -1,9 +0,0 @@
|
||||
{#
|
||||
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#}
|
||||
|
||||
base:
|
||||
'ansible':
|
||||
- ansible.configure
|
@ -46,6 +46,8 @@ prefs:
|
||||
features:
|
||||
- set:
|
||||
- menu-items: "qubes-run-terminal.desktop qubes-start.desktop"
|
||||
- enable:
|
||||
- service.ssh-client
|
||||
- disable:
|
||||
- service.cups
|
||||
- service.cups-browsed
|
||||
@ -73,6 +75,9 @@ prefs:
|
||||
features:
|
||||
- set:
|
||||
- menu-items: "qubes-run-terminal.desktop qubes-start.desktop"
|
||||
- enable:
|
||||
- servicevm
|
||||
- service.ssh-server
|
||||
- disable:
|
||||
- service.cups
|
||||
- service.cups-browsed
|
||||
|
@ -2,5 +2,5 @@
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
qubes.ConnectTCP +22 {{ sls_path }} @default allow target={{ sls_path }}-minion
|
||||
qusal.Ssh * {{ sls_path }} @default allow target={{ sls_path }}-minion
|
||||
## vim:ft=qrexecpolicy
|
||||
|
@ -1,7 +0,0 @@
|
||||
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
PubkeyAuthentication yes
|
||||
|
||||
# vim: ft=sshdconfig
|
@ -1,8 +0,0 @@
|
||||
#!/bin/sh
|
||||
# vim: ft=sh
|
||||
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
systemctl unmask ssh
|
||||
systemctl --no-block start ssh
|
@ -1,12 +0,0 @@
|
||||
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
Host minion ansible-minion
|
||||
Hostname 127.0.0.1
|
||||
Port 22000
|
||||
User user
|
||||
IdentityFile ~/.ssh/id_ansible.pub
|
||||
PreferredAuthentications publickey
|
||||
|
||||
# vim: ft=sshconfig
|
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
# vim: ft=sh
|
||||
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
qvm-connect-tcp 22000:@default:22
|
@ -10,7 +10,3 @@ base:
|
||||
- ansible.create
|
||||
'tpl-ansible':
|
||||
- ansible.install
|
||||
'ansible':
|
||||
- ansible.configure
|
||||
'ansible-minion':
|
||||
- ansible.configure-minion
|
||||
|
@ -9,7 +9,10 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
include:
|
||||
- .install-repo
|
||||
- utils.tools.common.update
|
||||
- utils.tools.zsh
|
||||
- dotfiles.copy-sh
|
||||
- dotfiles.copy-x11
|
||||
- sys-ssh.install
|
||||
- sys-ssh.install-client
|
||||
- ssh.install
|
||||
|
||||
"{{ slsdotpath }}-installed":
|
||||
@ -26,7 +29,6 @@ include:
|
||||
- ansible-lint
|
||||
- python3-argcomplete
|
||||
- python3-jmespath
|
||||
- openssh-server
|
||||
- qubes-core-agent-passwordless-root
|
||||
- bash-completion
|
||||
- man-db
|
||||
@ -48,20 +50,4 @@ include:
|
||||
- skip_suggestions: True
|
||||
- pkgs: {{ pkg.pkg|sequence|yaml }}
|
||||
|
||||
"{{ slsdotpath }}-ssh-config":
|
||||
file.managed:
|
||||
- name: /etc/ssh/ssh_config.d/99-ssh-ansible.conf
|
||||
- source: salt://{{ slsdotpath }}/files/server/99-ssh-ansible.conf
|
||||
- mode: '0644'
|
||||
- user: root
|
||||
- group: root
|
||||
|
||||
"{{ slsdotpath }}-sshd-config":
|
||||
file.managed:
|
||||
- name: /etc/ssh/sshd_config.d/99-sshd-ansible.conf
|
||||
- source: salt://{{ slsdotpath }}/files/client/99-sshd-ansible.conf
|
||||
- mode: '0644'
|
||||
- user: root
|
||||
- group: root
|
||||
|
||||
{% endif -%}
|
||||
|
@ -14,10 +14,12 @@ Setup docker in Qubes OS with the Docker repository.
|
||||
|
||||
## Installation
|
||||
|
||||
TODO: remove installation steps or provide a docker qube.
|
||||
|
||||
- Top
|
||||
```sh
|
||||
sudo qubesctl top.enable docker
|
||||
sudo qubesctl --targets=tpl-qubes-builder,qubes-builder state.apply
|
||||
sudo qubesctl --targets=tpl-qubes-builder state.apply
|
||||
sudo qubesctl top.disable docker
|
||||
```
|
||||
|
||||
@ -25,10 +27,15 @@ sudo qubesctl top.disable docker
|
||||
<!-- pkg:begin:post-install -->
|
||||
```sh
|
||||
sudo qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply docker.install
|
||||
sudo qubesctl --skip-dom0 --targets=qubes-builder state.apply docker.configure
|
||||
```
|
||||
<!-- pkg:end:post-install -->
|
||||
|
||||
Enable the Docker and/or Podman service for qubes that will use it:
|
||||
```sh
|
||||
qvm-features QUBE service.docker 1
|
||||
qvm-features QUBE service.podman 1
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
The only qubes specific configuration to docker is changing its [root
|
||||
|
@ -1,18 +0,0 @@
|
||||
{#
|
||||
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#}
|
||||
|
||||
{% if grains['nodename'] != 'dom0' -%}
|
||||
|
||||
"{{ slsdotpath }}-rc.local":
|
||||
file.managed:
|
||||
- name: /rw/config/rc.local.d/50-docker.rc
|
||||
- source: salt://{{ slsdotpath }}/files/client/rc.local.d/50-docker.rc
|
||||
- mode: '0755'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
{% endif -%}
|
@ -1,9 +0,0 @@
|
||||
{#
|
||||
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#}
|
||||
|
||||
base:
|
||||
'qubes-builder':
|
||||
- docker.configure
|
@ -1,9 +0,0 @@
|
||||
#!/bin/sh
|
||||
# vim: ft=sh
|
||||
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
usermod -aG docker user
|
||||
systemctl unmask docker
|
||||
systemctl --no-block restart docker
|
@ -0,0 +1,8 @@
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
# vim: ft=systemd
|
||||
[Unit]
|
||||
ConditionPathExists=/var/run/qubes-service/docker
|
||||
After=qubes-sysinit.service
|
||||
Before=qubes-qrexec-agent.service
|
@ -0,0 +1,8 @@
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
# vim: ft=systemd
|
||||
[Unit]
|
||||
ConditionPathExists=/var/run/qubes-service/podman
|
||||
After=qubes-sysinit.service
|
||||
Before=qubes-qrexec-agent.service
|
@ -7,5 +7,3 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
base:
|
||||
'tpl-qubes-builder':
|
||||
- docker.install
|
||||
'qubes-builder':
|
||||
- docker.configure
|
||||
|
@ -52,4 +52,22 @@ include:
|
||||
- addusers:
|
||||
- user
|
||||
|
||||
"{{ slsdotpath }}-systemd":
|
||||
file.recurse:
|
||||
- name: /usr/lib/systemd/system/
|
||||
- source: salt://{{ slsdotpath }}/files/client/systemd/
|
||||
- dir_mode: '0755'
|
||||
- file_mode: '0644'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-unmask-docker":
|
||||
service.unmasked:
|
||||
- name: docker
|
||||
|
||||
"{{ slsdotpath }}-enable-docker":
|
||||
service.enabled:
|
||||
- name: docker
|
||||
|
||||
{% endif -%}
|
||||
|
@ -88,7 +88,7 @@ socat TCP4-LISTEN:50002,reuseaddr,fork,bind=127.0.0.1 TCP:192.168.2.10:50002 &
|
||||
In the qube `electrum`, add the `qvm-connect-tcp` command to the file
|
||||
`/rw/config/rc.local`:
|
||||
```sh
|
||||
qvm-connnect-tcp ::50002
|
||||
qvm-connect-tcp ::50002
|
||||
```
|
||||
|
||||
In the qube `electrum`, run as the user `user` the electrum configuration
|
||||
|
@ -13,7 +13,6 @@ include:
|
||||
- dotfiles.copy-sh
|
||||
- dotfiles.copy-ssh
|
||||
- dotfiles.copy-git
|
||||
- docker.configure
|
||||
|
||||
"{{ slsdotpath }}-opam-completion-and-hooks":
|
||||
file.managed:
|
||||
|
@ -37,6 +37,9 @@ prefs:
|
||||
- autostart: False
|
||||
- include_in_backups: True
|
||||
features:
|
||||
- enable:
|
||||
- service.docker
|
||||
- service.podman
|
||||
- disable:
|
||||
- service.cups
|
||||
- service.cups-browsed
|
||||
|
@ -6,28 +6,36 @@ SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ
|
||||
7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa
|
||||
buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v
|
||||
yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAHNNUdpdEh1YiAod2ViLWZs
|
||||
b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBiBBMBCAAW
|
||||
BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEIACATWFmi2oxlBh3wAsySNCNV4IPf
|
||||
DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6
|
||||
9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws
|
||||
+8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5
|
||||
4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O
|
||||
j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48=
|
||||
=HXDP
|
||||
-----END PGP PUBLIC KEY BLOCK----------BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
xsBNBFmUaEEBCACzXTDt6ZnyaVtueZASBzgnAmK13q9Urgch+sKYeIhdymjuMQta
|
||||
x15OklctmrZtqre5kwPUosG3/B2/ikuPYElcHgGPL4uL5Em6S5C/oozfkYzhwRrT
|
||||
SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ
|
||||
7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa
|
||||
buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v
|
||||
yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAHNNUdpdEh1YiAod2ViLWZs
|
||||
b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBiBBMBCAAW
|
||||
BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEIACATWFmi2oxlBh3wAsySNCNV4IPf
|
||||
DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6
|
||||
9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws
|
||||
+8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5
|
||||
4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O
|
||||
j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48=
|
||||
=HXDP
|
||||
b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBoBBMBCAAc
|
||||
BQJZlGhBCRBK7hj4Ov3rIwIbAwUJDBJ3/wIZAQAA0O4IAJd0k8M+urETyMvTqNTj
|
||||
/U6nbqyOdKE4V93uUj5G7sNTfno7wod/Qjj6Zv5KodvA93HmEdQqsmVq5YJ5KGiw
|
||||
cmGCpd/GqJRPaYSY0hSUSBqYHiHLusCJkPBpQTBhcEMtfVCB2J6fVeoX2DV0K1xf
|
||||
CGblrSVB0viAxUMnmL5C55RuvbYZsTu8szXhkvIR96CtWbJ8QGaEf1/KSpWz8ept
|
||||
Y/omf3UPfvdOjnsxc8jVEqPNaR9xC6Q6t53rBa/XgMY6IYyesnyYnc5O6JuexUFa
|
||||
VjykRFtAiYfDaMARpXOmgMm0lhoBRKb/uMUaN3CSYTmE4pZweJcUi7eWgmoQljX2
|
||||
ut6ZAg0EZabFdgEQALI37i+IVAzpBCgqvQDZbSsZ0yhtMnA5myjZA+l7BvIGy4ve
|
||||
s1bk6YetbBcCE8o2pQjI7N2rwyhLGhNO6ouSyhqGLEQv9fafKE4HFH0aRjP+gj1H
|
||||
edhwtFoVChImhV863rWimQtTNtYB6GluBPwQqWfwmwQ2rT7ScOVZCLSHZD2gaaqW
|
||||
BXOyTCZVnwt7K/gyDuE3qzDJnuahl+SSkPn5TtnZdW6sLORJJ+DjNvaUxEsmizZ4
|
||||
IBzvj0QKxfS3s4F+0X5iqCMheLFeybZGtSq9Tjs6Q61l4CG8Bh6dsLemv0WFrk3G
|
||||
gFQRr7XUwr1bo5xGHC/FUJSsxRHoVNJnIL/9WldNO2tGU6qlTnAYxs/fOmf2B6o5
|
||||
cKXysXv7WAA8b+j5AVBMGxUSu7CLglaiCJC5DI7AAiUV7/t29rFZkam//Jbb4veC
|
||||
4vvFocoVUaxrKGWK1BDldr4/WJKApJcPJF4Jtai1+oB6ak/JIjbkseHdJxcjo2B0
|
||||
dKtIFoWiPAB+DFs9MRDpp0iwocJCh+ucus1rdQ54YMaI44rRphXeOIQMYCi5q2Q1
|
||||
/arzkSiyPV/2VoKoAfdgskPt1xKd7WIKErmpFMHIy8jJ5IPQ1s2dUwU4alfJLJa0
|
||||
pvaV2m7wBYFAmwmz0WZgFxYAYEDamn4jFoKfqsEgcixRUVE3w5VkqwSwGRbLABEB
|
||||
AAG0G0dpdEh1YiA8bm9yZXBseUBnaXRodWIuY29tPokCTgQTAQoAOBYhBJaEeaGv
|
||||
+SfjfRpWa7VpDu67lSGUBQJlpsV2AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
|
||||
AAoJELVpDu67lSGUgy4QAKW9XAL416iKrQB2LElmxqAoenHVCswlau0xGLh5dVNN
|
||||
p5f4/W6eEL8CZI7hfF3e5Gh6Me99aHgXSCK1QnxcqCJ6Oea4ZyrsNu3k6g7Um5ca
|
||||
VbYFD4yIahhXDYHSw6FYM2sgFY479YvgvKRwacC2tFfChLRbHgwLJ3O1dBjmVycJ
|
||||
Zpbyu+7taZ26g6KQfgcj3uuo3nz3p1ziIEpLHwtl/7joNEIIP/lJ8AKmUHPiGznN
|
||||
6fxMvzN37PGMWtdvOi1rSNIMQYr1YY7jPnlLbFJwLrO/q/cGPU5HwGzlqh0a2ZqY
|
||||
dnuwT3DREmgJ83H71xH+sTzZKs5oGlVTu6st7iWDvNpo2GoN01XzKa5caYglqsOC
|
||||
uZ6IHlsdL50sXMtSROCi3hEWU9r1sWIm4k3pNz20y7lElD2X/MqbEMcgpawCV7lH
|
||||
rm7MSrTgu6BNAF0SisbF9AKwXaBr2dwpMMyIBOFZO9mk4/c0n9q2FlGY4GkbgH2J
|
||||
HqulFTwX/4yiQbh8gzCe+06FZAWITN1OQntTkkCQ+1MCZPf+bOfC08RTsOsVZIYB
|
||||
2qAgw6XE0IF4a+PAtHSoYftwH2ocMY2gMuSNpQWm7m0+/j+K+RBoeUcnGNPQgszq
|
||||
N60IDMqkqHjyubrm2aslfopWmPSvaQoyxwV/uztdo+UI0IV2z9gD7Sm49vMkpYp8
|
||||
=uMz0
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
@ -13,7 +13,6 @@ include:
|
||||
- dotfiles.copy-sh
|
||||
- dotfiles.copy-ssh
|
||||
- dotfiles.copy-x11
|
||||
- docker.configure
|
||||
|
||||
"{{ slsdotpath }}-makedir-src":
|
||||
file.directory:
|
||||
|
@ -61,11 +61,13 @@ prefs:
|
||||
- label: gray
|
||||
- audiovm: ""
|
||||
- memory: 400
|
||||
- maxmem: 800
|
||||
- maxmem: 1000
|
||||
- vcpus: 1
|
||||
- default_dispvm: dvm-{{ slsdotpath }}
|
||||
features:
|
||||
- enable:
|
||||
- service.docker
|
||||
- service.podman
|
||||
- service.split-gpg2-client
|
||||
- disable:
|
||||
- service.cups
|
||||
@ -113,7 +115,7 @@ features:
|
||||
"{{ slsdotpath }}-shutdown-template":
|
||||
qvm.shutdown:
|
||||
- require:
|
||||
- cmd: "{{ slsdotpath }}-install-salt-deps":
|
||||
- cmd: "{{ slsdotpath }}-install-salt-deps"
|
||||
- name: tpl-{{ slsdotpath }}
|
||||
- flags:
|
||||
- force
|
||||
|
@ -18,25 +18,26 @@ include:
|
||||
- pkgs:
|
||||
- qubes-core-agent-networking
|
||||
- qubes-core-agent-passwordless-root
|
||||
- dnf-plugins-core
|
||||
- createrepo_c
|
||||
- debootstrap
|
||||
- devscripts
|
||||
- dnf-plugins-core
|
||||
- dpkg-dev
|
||||
- git
|
||||
- mock
|
||||
- pbuilder
|
||||
- which
|
||||
- perl-Digest-MD5
|
||||
- perl-Digest-SHA
|
||||
- pykickstart
|
||||
- python3-debian
|
||||
- python3-pyyaml
|
||||
- python3-sh
|
||||
- reprepro
|
||||
- rpm-build
|
||||
- rpmdevtools
|
||||
- wget2
|
||||
- python3-debian
|
||||
- reprepro
|
||||
- systemd-udev
|
||||
- wget2
|
||||
- which
|
||||
|
||||
"{{ slsdotpath }}-qubes-executor-add-user-to-mock-group":
|
||||
group.present:
|
||||
|
@ -30,26 +30,24 @@ include:
|
||||
## Minimal template dependencies
|
||||
- qubes-core-agent-networking
|
||||
- qubes-core-agent-passwordless-root
|
||||
## Undocumented Infraestructure Mirrors dependencies
|
||||
- python3-lxml
|
||||
## Undocumented Builder dependencies
|
||||
- python3-click
|
||||
## Dependencies: https://github.com/QubesOS/qubes-builderv2#dependencies
|
||||
- asciidoc
|
||||
- createrepo_c
|
||||
- devscripts
|
||||
- m4
|
||||
- mktorrent
|
||||
- mock
|
||||
- openssl
|
||||
- pacman
|
||||
- podman
|
||||
- python3-click
|
||||
- python3-docker
|
||||
- python3-jinja2-cli
|
||||
- python3-lxml
|
||||
- python3-packaging
|
||||
- python3-pathspec
|
||||
- python3-podman
|
||||
- python3-pyyaml
|
||||
- rb_libtorrent-examples
|
||||
- reprepro
|
||||
- rpm
|
||||
- rpm-sign
|
||||
|
@ -81,7 +81,7 @@ sudo qubesctl --skip-dom0 --targets=sys-bitcoin state.apply sys-bitcoin.configur
|
||||
|
||||
Add the tag `bitcoin-client` to the client and install in the client template:
|
||||
```sh
|
||||
sudo qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-bitcoin.install-client
|
||||
sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-bitcoin.install-client
|
||||
```
|
||||
|
||||
|
||||
@ -212,11 +212,11 @@ In the Electrum Server qubes or any Bitcoin Client, `sys-electrumx`,
|
||||
`/rw/config/rc.local`:
|
||||
```sh
|
||||
## RPC
|
||||
qvm-connnect-tcp ::8332
|
||||
qvm-connect-tcp ::8332
|
||||
## P2P (ElectRS)
|
||||
qvm-connnect-tcp ::8333
|
||||
qvm-connect-tcp ::8333
|
||||
## ZMQPubHashBlock (Fulcrum)
|
||||
qvm-connnect-tcp ::8433
|
||||
qvm-connect-tcp ::8433
|
||||
```
|
||||
|
||||
Still in the Electrum Server qube, you will have to add the RPC authentication
|
||||
|
@ -89,7 +89,7 @@ The report page is available from `sys-cacher` and `sys-cacher-browser` at
|
||||
security wise, every client has administrative access to the cacher qube. You
|
||||
should add the following to the end of `sys-cacher` rc.local:
|
||||
```sh
|
||||
echo "AdminAuth: username:password" | tee /etc/qubes-apt-cacher-ng/zzz_security.conf
|
||||
echo "AdminAuth: username:password" | tee /etc/qusal-apt-cacher-ng/zzz_security.conf
|
||||
```
|
||||
Where username and password are HTTP Auth strings.
|
||||
|
||||
|
@ -18,6 +18,16 @@ include:
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-browser-systemd-services":
|
||||
file.recurse:
|
||||
- name: /rw/config/systemd/
|
||||
- source: salt://{{ slsdotpath }}/files/browser/systemd/
|
||||
- dir_mode: '0755'
|
||||
- file_mode: '0644'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-browser-desktop-application":
|
||||
file.managed:
|
||||
- name: /home/user/.local/share/applications/cacher-browser.desktop
|
||||
|
@ -57,7 +57,7 @@ features:
|
||||
- enable:
|
||||
- servicevm
|
||||
- service.crond
|
||||
- service.apt-cacher-ng
|
||||
- service.acng-server
|
||||
- disable:
|
||||
- service.cups
|
||||
- service.cups-browsed
|
||||
@ -87,6 +87,8 @@ prefs:
|
||||
- autostart: False
|
||||
- include_in_backups: False
|
||||
features:
|
||||
- enable:
|
||||
- service.acng-browser
|
||||
- disable:
|
||||
- service.cups
|
||||
- service.cups-browsed
|
||||
|
@ -1,7 +1,9 @@
|
||||
#!/bin/sh
|
||||
# vim: ft=sh
|
||||
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
qvm-connect-tcp 8082:@default:8082
|
||||
cp -r /rw/config/systemd/qusal-acng-browser-forwarder* /usr/lib/systemd/system/
|
||||
systemctl daemon-reload
|
||||
systemctl --no-block restart qusal-acng-browser-forwarder.socket
|
||||
|
@ -0,0 +1,17 @@
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
[Unit]
|
||||
Description=Forward ACNG Admin Web Panel connection over Qrexec
|
||||
After=qubes-sysinit.service
|
||||
Before=qubes-qrexec-agent.service
|
||||
ConditionPathExists=/var/run/qubes-service/acng-browser
|
||||
|
||||
[Socket]
|
||||
ListenStream=127.0.0.1:8082
|
||||
BindToDevice=lo
|
||||
Accept=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -0,0 +1,11 @@
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
[Unit]
|
||||
Description=Forward ACNG Admin Web Panel connection over Qrexec
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/qrexec-client-vm @default qubes.ConnectTCP+8082
|
||||
StandardInput=socket
|
||||
StandardOutput=inherit
|
@ -3,11 +3,11 @@
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
# vim: ft=systemd
|
||||
[Unit]
|
||||
ConditionPathExists=/var/run/qubes-service/apt-cacher-ng
|
||||
ConditionPathExists=/var/run/qubes-service/acng-server
|
||||
After=qubes-sysinit.service
|
||||
Before=qubes-qrexec-agent.service
|
||||
|
||||
[Service]
|
||||
ExecStartPre=chown -R apt-cacher-ng:apt-cacher-ng /var/log/apt-cacher-ng /var/cache/apt-cacher-ng
|
||||
ExecStart=
|
||||
ExecStart=/usr/sbin/apt-cacher-ng -c "/etc/qubes-apt-cacher-ng" ForeGround=1
|
||||
ExecStart=/usr/sbin/apt-cacher-ng -c "/etc/qusal-apt-cacher-ng" ForeGround=1
|
||||
|
@ -23,13 +23,13 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
"{{ slsdotpath }}-install-client-systemd":
|
||||
file.managed:
|
||||
- name: /usr/lib/systemd/system/qubes-apt-cacher-ng-repo.service
|
||||
- source: salt://{{ slsdotpath }}/files/client/systemd/qubes-apt-cacher-ng-repo.service
|
||||
- name: /usr/lib/systemd/system/qusal-apt-cacher-ng-repo.service
|
||||
- source: salt://{{ slsdotpath }}/files/client/systemd/qusal-apt-cacher-ng-repo.service
|
||||
- mode: "0644"
|
||||
- group: root
|
||||
- user: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-install-client-systemd-start-qubes-apt-cacher-ng-repo.service":
|
||||
"{{ slsdotpath }}-install-client-systemd-start-qusal-apt-cacher-ng-repo.service":
|
||||
service.enabled:
|
||||
- name: qubes-apt-cacher-ng-repo.service
|
||||
- name: qusal-apt-cacher-ng-repo.service
|
||||
|
@ -37,25 +37,14 @@ include:
|
||||
service.enabled:
|
||||
- name: apt-cacher-ng
|
||||
|
||||
## TODO: legacy: remove after some weeks for user to have time to upgrade
|
||||
"{{ slsdotpath }}-mask-qubes-apt-cacher-ng":
|
||||
service.masked:
|
||||
- name: qubes-apt-cacher-ng
|
||||
- runtime: False
|
||||
|
||||
## TODO: legacy: remove after some weeks for user to have time to upgrade
|
||||
"{{ slsdotpath }}-disable-qubes-apt-cacher-ng":
|
||||
service.disabled:
|
||||
- name: qubes-apt-cacher-ng
|
||||
|
||||
"{{ slsdotpath }}-create-qubes-cacher-config-dir":
|
||||
file.directory:
|
||||
- name: /etc/qubes-apt-cacher-ng
|
||||
- name: /etc/qusal-apt-cacher-ng
|
||||
- mode: '0755'
|
||||
|
||||
"{{ slsdotpath }}-copy-package-config-to-qubes-cacher-config":
|
||||
cmd.run:
|
||||
- name: cp -rp /etc/apt-cacher-ng/* /etc/qubes-apt-cacher-ng
|
||||
- name: cp -rp /etc/apt-cacher-ng/* /etc/qusal-apt-cacher-ng
|
||||
|
||||
"{{ slsdotpath }}-systemd-service":
|
||||
file.managed:
|
||||
@ -68,12 +57,12 @@ include:
|
||||
|
||||
"{{ slsdotpath }}-update-deb_mirrors.gz":
|
||||
cmd.run:
|
||||
- name: cp /usr/lib/apt-cacher-ng/deb_mirrors.gz /etc/qubes-apt-cacher-ng/deb_mirrors.gz
|
||||
- name: cp /usr/lib/apt-cacher-ng/deb_mirrors.gz /etc/qusal-apt-cacher-ng/deb_mirrors.gz
|
||||
- runas: root
|
||||
|
||||
"{{ slsdotpath }}-update-conf":
|
||||
file.recurse:
|
||||
- name: /etc/qubes-apt-cacher-ng/
|
||||
- name: /etc/qusal-apt-cacher-ng/
|
||||
- source: salt://{{ slsdotpath }}/files/server/conf/
|
||||
- file_mode: "0644"
|
||||
- group: root
|
||||
|
@ -27,4 +27,4 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
"{{ slsdotpath }}-uninstall-client-systemd-service":
|
||||
file.absent:
|
||||
- name: /usr/lib/systemd/system/qubes-apt-cacher-ng-repo.service
|
||||
- name: /usr/lib/systemd/system/qusal-apt-cacher-ng-repo.service
|
||||
|
@ -15,6 +15,7 @@ if ! command -v git >/dev/null; then
|
||||
die "Command not found: git"
|
||||
fi
|
||||
|
||||
## TODO: subdirectory? dir+repo
|
||||
untrusted_repo="${QREXEC_SERVICE_ARGUMENT}"
|
||||
|
||||
if test -z "${untrusted_repo}"; then
|
||||
|
@ -7,7 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
{% if grains['nodename'] != 'dom0' %}
|
||||
|
||||
"{{ slsdotpath }}-browser-auto-tcp-connect":
|
||||
"{{ slsdotpath }}-browser-rc.local":
|
||||
file.managed:
|
||||
- name: /rw/config/rc.local.d/50-sys-pihole.rc
|
||||
- source: salt://{{ slsdotpath }}/files/browser/rc.local.d/50-sys-pihole.rc
|
||||
@ -16,6 +16,16 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-browser-systemd-services":
|
||||
file.recurse:
|
||||
- name: /rw/config/systemd/
|
||||
- source: salt://{{ slsdotpath }}/files/browser/systemd/
|
||||
- dir_mode: '0755'
|
||||
- file_mode: '0644'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-browser-desktop-application":
|
||||
file.managed:
|
||||
- name: /home/user/.local/share/applications/pihole-browser.desktop
|
||||
|
@ -78,6 +78,8 @@ prefs:
|
||||
- maxmem: 600
|
||||
- include_in_backups: False
|
||||
features:
|
||||
- enable:
|
||||
- service.http-client
|
||||
- disable:
|
||||
- service.cups
|
||||
- service.cups-browsed
|
||||
|
@ -1,7 +1,9 @@
|
||||
#!/bin/sh
|
||||
# vim: ft=sh
|
||||
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
qvm-connect-tcp 80:@default:80
|
||||
cp -r /rw/config/systemd/qubes-http-forwarder* /usr/lib/systemd/system/
|
||||
systemctl daemon-reload
|
||||
systemctl --no-block restart qubes-http-forwarder.socket
|
||||
|
@ -3,12 +3,13 @@
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
[Unit]
|
||||
Description=Forward connection to SSH over Qrexec
|
||||
Description=Forward HTTP connection over Qrexec
|
||||
After=qubes-sysinit.service
|
||||
ConditionPathExists=/var/run/qubes-service/ssh-setup
|
||||
Before=qubes-qrexec-agent.service
|
||||
ConditionPathExists=/var/run/qubes-service/http-client
|
||||
|
||||
[Socket]
|
||||
ListenStream=127.0.0.1:840
|
||||
ListenStream=127.0.0.1:80
|
||||
BindToDevice=lo
|
||||
Accept=true
|
||||
|
@ -0,0 +1,11 @@
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
[Unit]
|
||||
Description=Forward HTTP connection over Qrexec
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/qrexec-client-vm @default qubes.ConnectTCP+80
|
||||
StandardInput=socket
|
||||
StandardOutput=inherit
|
@ -6,28 +6,36 @@ SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ
|
||||
7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa
|
||||
buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v
|
||||
yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAHNNUdpdEh1YiAod2ViLWZs
|
||||
b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBiBBMBCAAW
|
||||
BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEIACATWFmi2oxlBh3wAsySNCNV4IPf
|
||||
DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6
|
||||
9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws
|
||||
+8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5
|
||||
4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O
|
||||
j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48=
|
||||
=HXDP
|
||||
-----END PGP PUBLIC KEY BLOCK----------BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
xsBNBFmUaEEBCACzXTDt6ZnyaVtueZASBzgnAmK13q9Urgch+sKYeIhdymjuMQta
|
||||
x15OklctmrZtqre5kwPUosG3/B2/ikuPYElcHgGPL4uL5Em6S5C/oozfkYzhwRrT
|
||||
SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ
|
||||
7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa
|
||||
buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v
|
||||
yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAHNNUdpdEh1YiAod2ViLWZs
|
||||
b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBiBBMBCAAW
|
||||
BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEIACATWFmi2oxlBh3wAsySNCNV4IPf
|
||||
DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6
|
||||
9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws
|
||||
+8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5
|
||||
4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O
|
||||
j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48=
|
||||
=HXDP
|
||||
b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBoBBMBCAAc
|
||||
BQJZlGhBCRBK7hj4Ov3rIwIbAwUJDBJ3/wIZAQAA0O4IAJd0k8M+urETyMvTqNTj
|
||||
/U6nbqyOdKE4V93uUj5G7sNTfno7wod/Qjj6Zv5KodvA93HmEdQqsmVq5YJ5KGiw
|
||||
cmGCpd/GqJRPaYSY0hSUSBqYHiHLusCJkPBpQTBhcEMtfVCB2J6fVeoX2DV0K1xf
|
||||
CGblrSVB0viAxUMnmL5C55RuvbYZsTu8szXhkvIR96CtWbJ8QGaEf1/KSpWz8ept
|
||||
Y/omf3UPfvdOjnsxc8jVEqPNaR9xC6Q6t53rBa/XgMY6IYyesnyYnc5O6JuexUFa
|
||||
VjykRFtAiYfDaMARpXOmgMm0lhoBRKb/uMUaN3CSYTmE4pZweJcUi7eWgmoQljX2
|
||||
ut6ZAg0EZabFdgEQALI37i+IVAzpBCgqvQDZbSsZ0yhtMnA5myjZA+l7BvIGy4ve
|
||||
s1bk6YetbBcCE8o2pQjI7N2rwyhLGhNO6ouSyhqGLEQv9fafKE4HFH0aRjP+gj1H
|
||||
edhwtFoVChImhV863rWimQtTNtYB6GluBPwQqWfwmwQ2rT7ScOVZCLSHZD2gaaqW
|
||||
BXOyTCZVnwt7K/gyDuE3qzDJnuahl+SSkPn5TtnZdW6sLORJJ+DjNvaUxEsmizZ4
|
||||
IBzvj0QKxfS3s4F+0X5iqCMheLFeybZGtSq9Tjs6Q61l4CG8Bh6dsLemv0WFrk3G
|
||||
gFQRr7XUwr1bo5xGHC/FUJSsxRHoVNJnIL/9WldNO2tGU6qlTnAYxs/fOmf2B6o5
|
||||
cKXysXv7WAA8b+j5AVBMGxUSu7CLglaiCJC5DI7AAiUV7/t29rFZkam//Jbb4veC
|
||||
4vvFocoVUaxrKGWK1BDldr4/WJKApJcPJF4Jtai1+oB6ak/JIjbkseHdJxcjo2B0
|
||||
dKtIFoWiPAB+DFs9MRDpp0iwocJCh+ucus1rdQ54YMaI44rRphXeOIQMYCi5q2Q1
|
||||
/arzkSiyPV/2VoKoAfdgskPt1xKd7WIKErmpFMHIy8jJ5IPQ1s2dUwU4alfJLJa0
|
||||
pvaV2m7wBYFAmwmz0WZgFxYAYEDamn4jFoKfqsEgcixRUVE3w5VkqwSwGRbLABEB
|
||||
AAG0G0dpdEh1YiA8bm9yZXBseUBnaXRodWIuY29tPokCTgQTAQoAOBYhBJaEeaGv
|
||||
+SfjfRpWa7VpDu67lSGUBQJlpsV2AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
|
||||
AAoJELVpDu67lSGUgy4QAKW9XAL416iKrQB2LElmxqAoenHVCswlau0xGLh5dVNN
|
||||
p5f4/W6eEL8CZI7hfF3e5Gh6Me99aHgXSCK1QnxcqCJ6Oea4ZyrsNu3k6g7Um5ca
|
||||
VbYFD4yIahhXDYHSw6FYM2sgFY479YvgvKRwacC2tFfChLRbHgwLJ3O1dBjmVycJ
|
||||
Zpbyu+7taZ26g6KQfgcj3uuo3nz3p1ziIEpLHwtl/7joNEIIP/lJ8AKmUHPiGznN
|
||||
6fxMvzN37PGMWtdvOi1rSNIMQYr1YY7jPnlLbFJwLrO/q/cGPU5HwGzlqh0a2ZqY
|
||||
dnuwT3DREmgJ83H71xH+sTzZKs5oGlVTu6st7iWDvNpo2GoN01XzKa5caYglqsOC
|
||||
uZ6IHlsdL50sXMtSROCi3hEWU9r1sWIm4k3pNz20y7lElD2X/MqbEMcgpawCV7lH
|
||||
rm7MSrTgu6BNAF0SisbF9AKwXaBr2dwpMMyIBOFZO9mk4/c0n9q2FlGY4GkbgH2J
|
||||
HqulFTwX/4yiQbh8gzCe+06FZAWITN1OQntTkkCQ+1MCZPf+bOfC08RTsOsVZIYB
|
||||
2qAgw6XE0IF4a+PAtHSoYftwH2ocMY2gMuSNpQWm7m0+/j+K+RBoeUcnGNPQgszq
|
||||
N60IDMqkqHjyubrm2aslfopWmPSvaQoyxwV/uztdo+UI0IV2z9gD7Sm49vMkpYp8
|
||||
=uMz0
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
@ -64,12 +64,12 @@ sudo qubesctl --skip-dom0 --targets=tpl-sys-print state.apply sys-print.install-
|
||||
|
||||
On the client template:
|
||||
```sh
|
||||
sudo qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-print.install-client
|
||||
sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-print.install-client
|
||||
```
|
||||
|
||||
The client qube requires the split Print service to be enabled:
|
||||
```sh
|
||||
qvm-features QUBE service.print-setup 1
|
||||
qvm-features QUBE service.print-client 1
|
||||
```
|
||||
|
||||
## Access Control
|
||||
|
@ -1,25 +0,0 @@
|
||||
# SPDX-FileCopyrightText: 2023 unman <unman@thirdeyesecurity.org>
|
||||
# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
[Unit]
|
||||
Description=Print over Qrexec
|
||||
After=qubes-sysinit.service
|
||||
After=qubes-qrexec-agent.service
|
||||
ConditionPathExists=/var/run/qubes-service/print-setup
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/socat TCP4-LISTEN:631,reuseaddr,fork,end-close EXEC:"qrexec-client-vm @default qusal.Print"
|
||||
Restart=on-failure
|
||||
RestartSec=3
|
||||
|
||||
# Hardening
|
||||
ProtectSystem=full
|
||||
|
||||
SystemCallArchitectures=native
|
||||
MemoryDenyWriteExecute=true
|
||||
NoNewPrivileges=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -0,0 +1,17 @@
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
[Unit]
|
||||
Description=Forward Print connection over Qrexec
|
||||
After=qubes-sysinit.service
|
||||
Before=qubes-qrexec-agent.service
|
||||
ConditionPathExists=/var/run/qubes-service/print-client
|
||||
|
||||
[Socket]
|
||||
ListenStream=127.0.0.1:631
|
||||
BindToDevice=lo
|
||||
Accept=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -0,0 +1,11 @@
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
[Unit]
|
||||
Description=Forward Print connection over Qrexec
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/qrexec-client-vm @default qusal.Print
|
||||
StandardInput=socket
|
||||
StandardOutput=inherit
|
@ -5,24 +5,16 @@ SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#}
|
||||
|
||||
"{{ slsdotpath }}-installed-client":
|
||||
pkg.installed:
|
||||
- require:
|
||||
- sls: utils.tools.common.update
|
||||
- install_recommends: False
|
||||
- skip_suggestions: True
|
||||
- pkgs:
|
||||
- socat
|
||||
|
||||
"{{ slsdotpath }}-client-systemd-print-forwarder":
|
||||
file.managed:
|
||||
- name: /usr/lib/systemd/system/qusal-print-forwarder.service
|
||||
- source: salt://{{ slsdotpath }}/files/client/systemd/qusal-print-forwarder.service
|
||||
- mode: '0644'
|
||||
"{{ slsdotpath }}-client-systemd":
|
||||
file.recurse:
|
||||
- name: /usr/lib/systemd/system/
|
||||
- source: salt://{{ slsdotpath }}/files/client/systemd/
|
||||
- file_mode: '0644'
|
||||
- dir_mode: '0755'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-enable-systemd-service-print-forwarder":
|
||||
"{{ slsdotpath }}-enable-systemd-service-print-forwarder.socket":
|
||||
service.enabled:
|
||||
- name: qusal-print-forwarder.service
|
||||
- name: qusal-print-forwarder.socket
|
||||
|
@ -49,7 +49,7 @@ sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-rsync.install-clien
|
||||
|
||||
The client qube requires the Rsync forwarder service to be enabled:
|
||||
```
|
||||
qvm-features QUBE service.rsync-setup 1
|
||||
qvm-features QUBE service.rsync-client 1
|
||||
```
|
||||
|
||||
## Access Control
|
||||
|
@ -1,6 +1,6 @@
|
||||
{#
|
||||
SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
|
||||
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#}
|
||||
@ -8,15 +8,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
include:
|
||||
- dev.home-cleanup
|
||||
|
||||
"{{ slsdotpath }}-start-rsync-on-boot":
|
||||
file.managed:
|
||||
- name: /rw/config/rc.local.d/50-sys-rsync.rc
|
||||
- source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-rsync.rc
|
||||
- mode: '0755'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-creates-local-rsync-configuration-dir":
|
||||
file.directory:
|
||||
- name: /usr/local/etc/rsync.d
|
||||
|
@ -41,6 +41,7 @@ prefs:
|
||||
features:
|
||||
- enable:
|
||||
- servicevm
|
||||
- service.rsync-server
|
||||
- disable:
|
||||
- service.cups
|
||||
- service.cups-browsed
|
||||
|
@ -3,9 +3,9 @@
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
[Unit]
|
||||
Description=Forward connection to Rsync over Qrexec
|
||||
Description=Forward Rsync connection over Qrexec
|
||||
After=qubes-sysinit.service
|
||||
ConditionPathExists=/var/run/qubes-service/rsync-setup
|
||||
ConditionPathExists=/var/run/qubes-service/rsync-client
|
||||
|
||||
[Socket]
|
||||
ListenStream=127.0.0.1:1839
|
@ -3,7 +3,7 @@
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
[Unit]
|
||||
Description=Forward connection to Rsync over Qrexec
|
||||
Description=Forward Rsync connection over Qrexec
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/qrexec-client-vm @default qusal.Rsync
|
@ -1,8 +0,0 @@
|
||||
#!/bin/sh
|
||||
# vim: ft=sh
|
||||
# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
systemctl unmask rsync
|
||||
systemctl --no-block restart rsync
|
@ -0,0 +1,8 @@
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
# vim: ft=systemd
|
||||
[Unit]
|
||||
ConditionPathExists=/var/run/qubes-service/rsync-server
|
||||
After=qubes-sysinit.service
|
||||
Before=qubes-qrexec-agent.service
|
@ -30,8 +30,8 @@ include:
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-client-systemd-start-qubes-rsync-forwarder.socket":
|
||||
"{{ slsdotpath }}-client-systemd-enable-qusal-rsync-forwarder.socket":
|
||||
service.enabled:
|
||||
- name: qubes-rsync-forwarder.socket
|
||||
- name: qusal-rsync-forwarder.socket
|
||||
|
||||
{% endif -%}
|
||||
|
@ -20,16 +20,22 @@ include:
|
||||
- rsync
|
||||
- man-db
|
||||
|
||||
"{{ slsdotpath }}-stop-rsync":
|
||||
service.dead:
|
||||
"{{ slsdotpath }}-systemd":
|
||||
file.recurse:
|
||||
- name: /usr/lib/systemd/system/
|
||||
- source: salt://{{ slsdotpath }}/files/server/systemd/
|
||||
- dir_mode: '0755'
|
||||
- file_mode: '0644'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-unmask-rsync":
|
||||
service.unmasked:
|
||||
- name: rsync
|
||||
|
||||
"{{ slsdotpath }}-disable-rsync":
|
||||
service.disabled:
|
||||
- name: rsync
|
||||
|
||||
"{{ slsdotpath }}-mask-rsync":
|
||||
service.masked:
|
||||
"{{ slsdotpath }}-enable-rsync":
|
||||
service.enabled:
|
||||
- name: rsync
|
||||
|
||||
"{{ slsdotpath }}-set-rsyncd.conf":
|
||||
|
@ -150,7 +150,7 @@ Or you can manually add the key to the agent which are not located under the
|
||||
`~/.ssh/identities.d` directory so they aren't automatically added (substitute
|
||||
AGENT, SECS, and LIFE for their appropriate values):
|
||||
```sh
|
||||
SSH_AUTH_SOCK="/run/user/1000/qubes-ssh-agent/<AGENT>.sock" ssh-add -t <SECS> -f <FILE>
|
||||
SSH_AUTH_SOCK="/run/user/1000/qusal-ssh-agent/<AGENT>.sock" ssh-add -t <SECS> -f <FILE>
|
||||
```
|
||||
|
||||
#### Reload agent
|
||||
@ -177,17 +177,17 @@ qvm-ssh-agent ls <AGENT>
|
||||
Enable and start the connection to the SSH Agent via Qrexec for specified
|
||||
`<AGENT>`:
|
||||
```sh
|
||||
sudo systemctl --no-block restart qubes-ssh-agent-forwarder@<AGENT>.service
|
||||
sudo systemctl --no-block restart qubes-ssh-agent-forwarder@personal.service
|
||||
sudo systemctl --no-block restart qusal-ssh-agent-forwarder@<AGENT>.service
|
||||
sudo systemctl --no-block restart qusal-ssh-agent-forwarder@personal.service
|
||||
```
|
||||
You can start the service on boot if you place the above line
|
||||
`/rw/config/rc.local` of the client.
|
||||
|
||||
The ssh-agent socket will be at `/tmp/qubes-ssh-agent-forwarder/<AGENT>.sock`.
|
||||
The ssh-agent socket will be at `/tmp/qusal-ssh-agent-forwarder/<AGENT>.sock`.
|
||||
|
||||
You can test the connection is working with:
|
||||
```sh
|
||||
SSH_AUTH_SOCK="/tmp/qubes-ssh-agent-forwarder/personal.sock" ssh-add -l
|
||||
SSH_AUTH_SOCK="/tmp/qusal-ssh-agent-forwarder/personal.sock" ssh-add -l
|
||||
```
|
||||
|
||||
#### Single agent per client
|
||||
@ -196,8 +196,8 @@ You might want to set the `SSH_AUTH_SOCK` and `SSH_AGENT_PID` environment
|
||||
variables to point to the `work` agent so every connection will use the same
|
||||
agent:
|
||||
```sh
|
||||
echo 'export SSH_AUTH_SOCK=/tmp/qubes-ssh-agent-forwarder/work.sock;
|
||||
SSH_AGENT_PID="$(pgrep -f "/tmp/qubes-ssh-agent-forwarder/work.sock")";
|
||||
echo 'export SSH_AUTH_SOCK=/tmp/qusal-ssh-agent-forwarder/work.sock;
|
||||
SSH_AGENT_PID="$(pgrep -f "/tmp/qusal-ssh-agent-forwarder/work.sock")";
|
||||
' | tee -a ~/.profile
|
||||
```
|
||||
|
||||
@ -210,19 +210,19 @@ the `IdentityAgent` option.
|
||||
|
||||
You can control the SSH agent via SSH command-line option:
|
||||
```sh
|
||||
ssh -o IdentityAgent=/tmp/qubes-ssh-agent-forwarder/personal.sock personal-site.com
|
||||
ssh -o IdentityAgent=/tmp/qubes-ssh-agent-forwarder/work.sock work-site.com
|
||||
ssh -o IdentityAgent=/tmp/qusal-ssh-agent-forwarder/personal.sock personal-site.com
|
||||
ssh -o IdentityAgent=/tmp/qusal-ssh-agent-forwarder/work.sock work-site.com
|
||||
```
|
||||
You can control the SSH agent via SSH configuration:
|
||||
```sshconfig
|
||||
Host personal
|
||||
IdentityAgent /tmp/qubes-ssh-agent-forwarder/personal.sock
|
||||
IdentityAgent /tmp/qusal-ssh-agent-forwarder/personal.sock
|
||||
...
|
||||
Host work
|
||||
IdentityAgent /tmp/qubes-ssh-agent-forwarder/work.sock
|
||||
IdentityAgent /tmp/qusal-ssh-agent-forwarder/work.sock
|
||||
...
|
||||
```
|
||||
|
||||
## Credits
|
||||
|
||||
- [Unman](https://github.com/unman/qubes-ssh-agent)
|
||||
- [Unman](https://github.com/unman/qusal-ssh-agent)
|
||||
|
@ -1,9 +1,9 @@
|
||||
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
[Unit]
|
||||
Description=SSH Agent Forwarder to Qrexec SSH Agent %i
|
||||
Description=Forward SSH Agent %i over Qrexec
|
||||
|
||||
[Service]
|
||||
User=user
|
@ -1,12 +1,12 @@
|
||||
#!/bin/sh
|
||||
|
||||
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
set -eu
|
||||
|
||||
service="qubes-ssh-agent"
|
||||
service="qusal-ssh-agent"
|
||||
|
||||
usage(){
|
||||
echo "Usage: ${0##*/} [ls|add] <AGENT>
|
||||
|
@ -24,7 +24,7 @@ if test "${#untrusted_agent}" -gt 128; then
|
||||
fi
|
||||
|
||||
agent="${untrusted_agent}"
|
||||
socket="/tmp/qubes-ssh-agent/${agent}.sock"
|
||||
socket="/tmp/qusal-ssh-agent/${agent}.sock"
|
||||
|
||||
qvm-ssh-agent add "${agent}" >/dev/null
|
||||
exec socat STDIO UNIX-CLIENT:"${socket}"
|
||||
|
@ -39,7 +39,6 @@ sudo qubesctl top.disable sys-ssh
|
||||
```sh
|
||||
sudo qubesctl state.apply sys-ssh.create
|
||||
sudo qubesctl --skip-dom0 --targets=tpl-sys-ssh state.apply sys-ssh.install
|
||||
sudo qubesctl --skip-dom0 --targets=sys-ssh state.apply sys-ssh.configure
|
||||
```
|
||||
<!-- pkg:end:post-install -->
|
||||
|
||||
@ -50,7 +49,7 @@ sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-ssh.install-client
|
||||
|
||||
The client qube requires the SSH forwarder service to be enabled:
|
||||
```
|
||||
qvm-features QUBE service.ssh-setup 1
|
||||
qvm-features QUBE service.ssh-client 1
|
||||
```
|
||||
|
||||
## Access Control
|
||||
|
@ -1,30 +0,0 @@
|
||||
{#
|
||||
SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
|
||||
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#}
|
||||
|
||||
{% if grains['nodename'] != 'dom0' -%}
|
||||
|
||||
include:
|
||||
- dev.home-cleanup
|
||||
|
||||
"{{ slsdotpath }}-start-ssh-on-boot":
|
||||
file.managed:
|
||||
- name: /rw/config/rc.local.d/50-sys-ssh.rc
|
||||
- source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-ssh.rc
|
||||
- mode: '0755'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-creates-home-ssh-dir":
|
||||
file.directory:
|
||||
- name: /home/user/.ssh
|
||||
- mode: '0700'
|
||||
- user: user
|
||||
- group: user
|
||||
- makedirs: True
|
||||
|
||||
{% endif -%}
|
@ -1,9 +0,0 @@
|
||||
{#
|
||||
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#}
|
||||
|
||||
base:
|
||||
'sys-ssh':
|
||||
- sys-ssh.configure
|
@ -41,6 +41,7 @@ prefs:
|
||||
features:
|
||||
- enable:
|
||||
- servicevm
|
||||
- service.ssh-server
|
||||
- disable:
|
||||
- service.cups
|
||||
- service.cups-browsed
|
||||
|
11
salt/sys-ssh/files/client/ssh_config.d/50-qusal-sys-ssh.conf
Normal file
11
salt/sys-ssh/files/client/ssh_config.d/50-qusal-sys-ssh.conf
Normal file
@ -0,0 +1,11 @@
|
||||
# vim: ft=sshconfig
|
||||
|
||||
# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
Host default-qubes-server
|
||||
Hostname 127.0.0.1
|
||||
User user
|
||||
Port 1840
|
||||
StrictHostKeyChecking no
|
17
salt/sys-ssh/files/client/systemd/qusal-ssh-forwarder.socket
Normal file
17
salt/sys-ssh/files/client/systemd/qusal-ssh-forwarder.socket
Normal file
@ -0,0 +1,17 @@
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
[Unit]
|
||||
Description=Forward SSH connection over Qrexec
|
||||
After=qubes-sysinit.service
|
||||
Before=qubes-qrexec-agent.service
|
||||
ConditionPathExists=/var/run/qubes-service/ssh-client
|
||||
|
||||
[Socket]
|
||||
ListenStream=127.0.0.1:1840
|
||||
BindToDevice=lo
|
||||
Accept=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,9 +1,9 @@
|
||||
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
[Unit]
|
||||
Description=Forward connection to SSH over Qrexec
|
||||
Description=Forward SSH connection over Qrexec
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/qrexec-client-vm @default qusal.Ssh
|
@ -1,8 +0,0 @@
|
||||
#!/bin/sh
|
||||
# vim: ft=sh
|
||||
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
systemctl unmask ssh
|
||||
systemctl --no-block restart ssh
|
@ -0,0 +1,8 @@
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
# vim: ft=systemd
|
||||
[Unit]
|
||||
ConditionPathExists=/var/run/qubes-service/ssh-server
|
||||
After=qubes-sysinit.service
|
||||
Before=qubes-qrexec-agent.service
|
@ -10,5 +10,3 @@ base:
|
||||
- sys-ssh.create
|
||||
'tpl-sys-ssh':
|
||||
- sys-ssh.install
|
||||
'sys-ssh':
|
||||
- sys-ssh.configure
|
||||
|
@ -28,6 +28,15 @@ include:
|
||||
- skip_suggestions: True
|
||||
- pkgs: {{ pkg.pkg|sequence|yaml }}
|
||||
|
||||
"{{ slsdotpath }}-ssh-config":
|
||||
file.managed:
|
||||
- name: /etc/ssh/ssh_config.d/50-qusal-{{ slsdotpath }}.conf
|
||||
- source: salt://{{ slsdotpath }}/files/client/ssh_config.d/50-qusal-{{ slsdotpath }}.conf
|
||||
- mode: '0644'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-client-systemd":
|
||||
file.recurse:
|
||||
- name: /usr/lib/systemd/system/
|
||||
@ -38,8 +47,8 @@ include:
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-client-systemd-start-qubes-ssh-forwarder.socket":
|
||||
"{{ slsdotpath }}-client-systemd-start-qusal-ssh-forwarder.socket":
|
||||
service.enabled:
|
||||
- name: qubes-ssh-forwarder.socket
|
||||
- name: qusal-ssh-forwarder.socket
|
||||
|
||||
{% endif -%}
|
||||
|
@ -20,16 +20,21 @@ include:
|
||||
- openssh-server
|
||||
- man-db
|
||||
|
||||
"{{ slsdotpath }}-stop-ssh":
|
||||
service.dead:
|
||||
"{{ slsdotpath }}-ssh-systemd-service":
|
||||
file.managed:
|
||||
- name: /usr/lib/systemd/system/ssh.service.d/50_qusal.conf
|
||||
- source: salt://{{ slsdotpath }}/files/server/systemd/ssh.service.d/50_qusal.conf
|
||||
- mode: '0644'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-unmask-ssh":
|
||||
service.unmasked:
|
||||
- name: ssh
|
||||
|
||||
"{{ slsdotpath }}-disable-ssh":
|
||||
service.disabled:
|
||||
- name: ssh
|
||||
|
||||
"{{ slsdotpath }}-mask-ssh":
|
||||
service.masked:
|
||||
"{{ slsdotpath }}-enable-ssh":
|
||||
service.enabled:
|
||||
- name: ssh
|
||||
|
||||
"{{ slsdotpath }}-rpc":
|
||||
@ -52,9 +57,9 @@ include:
|
||||
|
||||
"{{ slsdotpath }}-sshd-config":
|
||||
file.managed:
|
||||
- name: /etc/ssh/sshd_config.d/{{ slsdotpath }}.conf
|
||||
- source: salt://{{ slsdotpath }}/files/server/sshd_config.d/{{ slsdotpath }}.conf
|
||||
- mode: '0755'
|
||||
- name: /etc/ssh/sshd_config.d/50-qusal-{{ slsdotpath }}.conf
|
||||
- source: salt://{{ slsdotpath }}/files/server/sshd_config.d/50-qusal-{{ slsdotpath }}.conf
|
||||
- mode: '0644'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
@ -52,9 +52,11 @@ Install Syncthing on the client template:
|
||||
sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-syncthing.install-client
|
||||
```
|
||||
|
||||
The client qube requires the split Syncthing service to be enabled:
|
||||
The client qube requires the split Syncthing and the Syncthing Daemon service
|
||||
to be enabled:
|
||||
```sh
|
||||
qvm-features QUBE service.syncthing-setup 1
|
||||
qvm-features QUBE service.syncthing-client 1
|
||||
qvm-features QUBE service.syncthing-server 1
|
||||
```
|
||||
|
||||
## Access Control
|
||||
@ -87,8 +89,8 @@ interface. In other words, it has control over the server functions, if the
|
||||
browser is compromised, it can compromise the server.
|
||||
|
||||
To use the service, from the client, add a Remote Device, and copy the
|
||||
`DeviceID` from the server qube. On the Advanced tab, under Addresses, change
|
||||
`dynamic` to `tcp://127.0.0.1:22001`
|
||||
`DeviceID` from the server qube. On the `Advanced` tab, under `Addresses`,
|
||||
change `dynamic` to `tcp://127.0.0.1:22001`
|
||||
|
||||
If the sender qube has no netvm set, under `Settings`, disable `Enable NAT
|
||||
traversal`, `Local Discovery`, `Global Discovery`, and `Enable Relaying`
|
||||
@ -119,7 +121,6 @@ Uninstallation procedure:
|
||||
```sh
|
||||
qvm-port-forward -a del -q sys-syncthing -n tcp -p 22000
|
||||
qvm-port-forward -a del -q sys-syncthing -n udp -p 22000
|
||||
sudo qubesctl --skip-dom0 --targets=sys-syncthing state.apply sys-syncthing.cancel
|
||||
sudo qubesctl state.apply sys-syncthing.clean
|
||||
```
|
||||
<!-- pkg:end:preun-uninstall -->
|
||||
|
@ -1,9 +0,0 @@
|
||||
{#
|
||||
SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#}
|
||||
|
||||
"{{ slsdotpath }}-remove-service-from-rc.local":
|
||||
file.absent:
|
||||
- name: /rw/config/rc.local.d/50-sys-syncthing.rc
|
@ -1,9 +0,0 @@
|
||||
{#
|
||||
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#}
|
||||
|
||||
base:
|
||||
'sys-syncthing':
|
||||
- sys-syncthing.configure
|
@ -11,5 +11,11 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
- flags:
|
||||
- force
|
||||
|
||||
"{{ slsdotpath }}-stop-syncthing-from-starting":
|
||||
qvm.features:
|
||||
- name: {{ slsdotpath }}
|
||||
- disable:
|
||||
- service.syncthing-server
|
||||
|
||||
{% from 'utils/macros/policy.sls' import policy_unset with context -%}
|
||||
{{ policy_unset(sls_path, '80') }}
|
||||
|
@ -18,6 +18,15 @@ include:
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-browser-systemd-services":
|
||||
file.recurse:
|
||||
- name: /rw/config/systemd/
|
||||
- source: salt://{{ slsdotpath }}/files/browser/systemd/
|
||||
- dir_mode: '0755'
|
||||
- file_mode: '0644'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-browser-desktop-application":
|
||||
file.managed:
|
||||
|
@ -1,5 +1,4 @@
|
||||
{#
|
||||
SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
|
||||
SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
@ -7,12 +6,4 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
include:
|
||||
- dotfiles.copy-xfce
|
||||
|
||||
"{{ slsdotpath }}-rc.local":
|
||||
file.managed:
|
||||
- name: /rw/config/rc.local.d/50-sys-syncthing.rc
|
||||
- source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-syncthing.rc
|
||||
- mode: '0755'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
- dotfiles.copy-x11
|
||||
|
@ -56,6 +56,7 @@ prefs:
|
||||
features:
|
||||
- enable:
|
||||
- servicevm
|
||||
- service.syncthing-server
|
||||
- disable:
|
||||
- service.cups
|
||||
- service.cups-browsed
|
||||
@ -83,6 +84,8 @@ prefs:
|
||||
- autostart: False
|
||||
- include_in_backups: False
|
||||
features:
|
||||
- enable:
|
||||
- service.syncthing-browser
|
||||
- disable:
|
||||
- service.cups
|
||||
- service.cups-browsed
|
||||
|
@ -1,7 +1,9 @@
|
||||
#!/bin/sh
|
||||
# vim: ft=sh
|
||||
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
qvm-connect-tcp 8384:@default:8384
|
||||
cp -r /rw/config/systemd/qusal-syncthing-browser-forwarder* /usr/lib/systemd/system/
|
||||
systemctl daemon-reload
|
||||
systemctl --no-block restart qusal-syncthing-browser-forwarder.socket
|
||||
|
@ -0,0 +1,17 @@
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
[Unit]
|
||||
Description=Forward Syncthing Admin Panel connection over Qrexec
|
||||
After=qubes-sysinit.service
|
||||
Before=qubes-qrexec-agent.service
|
||||
ConditionPathExists=/var/run/qubes-service/syncthing-browser
|
||||
|
||||
[Socket]
|
||||
ListenStream=127.0.0.1:8384
|
||||
BindToDevice=lo
|
||||
Accept=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -0,0 +1,11 @@
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
[Unit]
|
||||
Description=Forward Syncthing Admin Panel connection over Qrexec
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/qrexec-client-vm @default qubes.ConnectTCP+8384
|
||||
StandardInput=socket
|
||||
StandardOutput=inherit
|
@ -1,25 +0,0 @@
|
||||
## SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
|
||||
## SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
##
|
||||
## SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
[Unit]
|
||||
Description=Syncthing over Qrexec
|
||||
After=qubes-sysinit.service
|
||||
After=qubes-qrexec-agent.service
|
||||
ConditionPathExists=/var/run/qubes-service/syncthing-setup
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/socat TCP4-LISTEN:22001,reuseaddr,fork,end-close EXEC:"qrexec-client-vm @default qusal.Syncthing"
|
||||
Restart=on-failure
|
||||
RestartSec=3
|
||||
|
||||
# Hardening
|
||||
ProtectSystem=full
|
||||
PrivateTmp=true
|
||||
SystemCallArchitectures=native
|
||||
MemoryDenyWriteExecute=true
|
||||
NoNewPrivileges=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -0,0 +1,17 @@
|
||||
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
[Unit]
|
||||
Description=Forward Syncthing connection over Qrexec
|
||||
After=qubes-sysinit.service
|
||||
Before=qubes-qrexec-agent.service
|
||||
ConditionPathExists=/var/run/qubes-service/syncthing-client
|
||||
|
||||
[Socket]
|
||||
ListenStream=127.0.0.1:22001
|
||||
BindToDevice=lo
|
||||
Accept=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user