diff --git a/docs/DESIGN.md b/docs/DESIGN.md index d213d5c..375e8e7 100644 --- a/docs/DESIGN.md +++ b/docs/DESIGN.md @@ -14,8 +14,10 @@ Qusal design document. * [Qube naming](#qube-naming) * [Qube label](#qube-label) * [Qube menu](#qube-menu) + * [Qube features](#qube-features) * [Qube connections](#qube-connections) * [Qrexec call and policy](#qrexec-call-and-policy) + * [Qrexec socket services](#qrexec-socket-services) ## Goal @@ -167,6 +169,21 @@ building software is risky, the user trying to open a file manager on a qube that doesn't have one is less risky but for the user the behavior is unexpected. +### Qube features + +Control daemons using Qubes Services. It is much better to control services +this way as we can declare during the creation of qubes instead of having to +add a state to run a script during boot to unmask and start a specific +service. The method below is most of the times combined with `systemd.unit` +`ConditionPathExists=` to enable the service conditionally. + +- Server's service name must match the syntax: `service-server` (example: + `rsync-server`, `syncthing-server`); +- Client's service name must match the syntax: `service-client` (example: + `ssh-client`; +- Local program's service name must match the syntax: `service` (example: + `docker`, `podman`. + ### Qube connections There are several ways a qube can connect to another, either directly with @@ -202,3 +219,40 @@ Xen or with Qrexec. If something is not required, we remove it. `qrexec-client-vm`. 3. Target qube for client script must default to `@default`, but other targets must be allowed via parameters. + +### Qrexec socket services + +Native Qrexec TCP sockets `/dev/tcp` using `qubes.ConnectTCP` are very handy +to connect to a port of a qube. The downside of using `qubes.ConnectTCP` +directly is the user doesn't want or need to know in which port the client +wants to connect in the server. We will refer to Unix Domains Sockets as +`UDS`. + +Using `qusal.Service`, such as `qusal.Rsync`, `qusal.Syncthing`, `qusal.Ssh` +has the following advantages: + +- Usability: User recognizes the call per service name; +- Extensibility: Allows extending functionality for arguments added in the + future, no need to migrate user policy from `qubes.ConnectTCP`; + is not necessary; + +Rules for server RPC service: + +- Symlink `qubes.ConnectTCP` to `qusal.Service` if connecting to a local port; +- Use `qubes.ConnectTCP` directly when the user won't manage the policy for + the wanted call, such as `sys-syncthing-browser`, where it happens that only + this qube will access the admin interface of `sys-syncthing`; +- Use `socat` to connect to remote hosts or UDS with path defined by the + service argument. + +Rules for client RPC call: + +- Use `systemd.socket` units, it does not require `socat`, it is not + restricted to the use of `qubes.ConnectTCP` called by `qvm-connect-tcp`, the + service can be properly logged and status verified by a service manager + instead of forking socat to the background with a `rc.local` script and + finally, can be controlled by Qubes Services to enable or disable the unit + with `ConditionPathExists=` instead of doing if-else statements in + `rc.local`; +- Use of `socat` and `qvm-connect-tcp` is permitted for UDS and for + instructional use as it is very short. diff --git a/qubesbuilder/qusal.yml b/qubesbuilder/qusal.yml index 6af8ff5..b671fbf 100644 --- a/qubesbuilder/qusal.yml +++ b/qubesbuilder/qusal.yml @@ -69,12 +69,10 @@ stages: gpg-client: gpg sign-key: - rpm: - - DF3834875B65758713D92E91A475969DE4E371E3 + rpm: DF3834875B65758713D92E91A475969DE4E371E3 -#repository-publish: -# components: current-testing +repository-publish: + components: current-testing -#repository-upload-remote-host: -# rpm: user@yum.qubes-os.org:/some/path -# deb: user@deb.qubes-os.org:/another/path +# repository-upload-remote-host: +# rpm: user@yum.example.org:/some/path diff --git a/rpm_spec/qusal-ansible.spec b/rpm_spec/qusal-ansible.spec index 1a58ce8..515add8 100644 --- a/rpm_spec/qusal-ansible.spec +++ b/rpm_spec/qusal-ansible.spec @@ -30,7 +30,9 @@ BuildArch: noarch Requires: qubes-mgmt-salt Requires: qubes-mgmt-salt-dom0 +Requires: qusal-dotfiles Requires: qusal-ssh +Requires: qusal-sys-ssh Requires: qusal-utils @@ -73,8 +75,6 @@ if test "$1" = "1"; then ## Install qubesctl state.apply ansible.create qubesctl --skip-dom0 --targets=tpl-ansible state.apply ansible.install - qubesctl --skip-dom0 --targets=ansible state.apply ansible.configure,zsh.touch-zshrc - qubesctl --skip-dom0 --targets=ansible-minion state.apply ansible.configure-minion,zsh.touch-zshrc elif test "$1" = "2"; then ## Upgrade true @@ -107,6 +107,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jun 25 2024 Ben Grande - 3880a35 +- fix: ansible references legacy zsh state + * Mon Jun 24 2024 Ben Grande - ab1438f - fix: change Launchpad repository to HTTPS domain diff --git a/rpm_spec/qusal-docker.spec b/rpm_spec/qusal-docker.spec index 8095c21..cde2312 100644 --- a/rpm_spec/qusal-docker.spec +++ b/rpm_spec/qusal-docker.spec @@ -72,7 +72,6 @@ cp -rv salt/%{project} %{buildroot}/srv/salt/qusal/%{name} if test "$1" = "1"; then ## Install qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply docker.install - qubesctl --skip-dom0 --targets=qubes-builder state.apply docker.configure elif test "$1" = "2"; then ## Upgrade true diff --git a/rpm_spec/qusal-sys-net.spec b/rpm_spec/qusal-sys-net.spec index 2dc573c..72f0266 100644 --- a/rpm_spec/qusal-sys-net.spec +++ b/rpm_spec/qusal-sys-net.spec @@ -114,6 +114,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jun 25 2024 Ben Grande - 4facf45 +- feat: use native TCP socket with Qrexec + * Fri Jun 21 2024 Ben Grande - c84dfea - fix: generate RPM Specs for Qubes Builder V2 diff --git a/rpm_spec/qusal-sys-print.spec b/rpm_spec/qusal-sys-print.spec index bdfd90e..b31e587 100644 --- a/rpm_spec/qusal-sys-print.spec +++ b/rpm_spec/qusal-sys-print.spec @@ -111,6 +111,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jun 25 2024 Ben Grande - 4facf45 +- feat: use native TCP socket with Qrexec + * Fri Jun 21 2024 Ben Grande - c84dfea - fix: generate RPM Specs for Qubes Builder V2 diff --git a/rpm_spec/qusal-sys-rsync.spec b/rpm_spec/qusal-sys-rsync.spec index dd43bf3..afcd6e8 100644 --- a/rpm_spec/qusal-sys-rsync.spec +++ b/rpm_spec/qusal-sys-rsync.spec @@ -114,6 +114,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jun 25 2024 Ben Grande - 4facf45 +- feat: use native TCP socket with Qrexec + * Fri Jun 21 2024 Ben Grande - c84dfea - fix: generate RPM Specs for Qubes Builder V2 diff --git a/rpm_spec/qusal-sys-ssh.spec b/rpm_spec/qusal-sys-ssh.spec index dfdaf13..bb67577 100644 --- a/rpm_spec/qusal-sys-ssh.spec +++ b/rpm_spec/qusal-sys-ssh.spec @@ -30,7 +30,6 @@ BuildArch: noarch Requires: qubes-mgmt-salt Requires: qubes-mgmt-salt-dom0 -Requires: qusal-dev Requires: qusal-sys-ssh-agent Requires: qusal-utils @@ -83,7 +82,6 @@ if test "$1" = "1"; then ## Install qubesctl state.apply sys-ssh.create qubesctl --skip-dom0 --targets=tpl-sys-ssh state.apply sys-ssh.install - qubesctl --skip-dom0 --targets=sys-ssh state.apply sys-ssh.configure elif test "$1" = "2"; then ## Upgrade true @@ -116,6 +114,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jun 25 2024 Ben Grande - 4facf45 +- feat: use native TCP socket with Qrexec + * Mon Jun 24 2024 Ben Grande - 22e2a2e - chore: add copyright to systemd services diff --git a/rpm_spec/qusal-sys-syncthing.spec b/rpm_spec/qusal-sys-syncthing.spec index ae5d170..b34b860 100644 --- a/rpm_spec/qusal-sys-syncthing.spec +++ b/rpm_spec/qusal-sys-syncthing.spec @@ -96,7 +96,6 @@ if test "$1" = "0"; then ## Uninstall qvm-port-forward -a del -q sys-syncthing -n tcp -p 22000 qvm-port-forward -a del -q sys-syncthing -n udp -p 22000 - qubesctl --skip-dom0 --targets=sys-syncthing state.apply sys-syncthing.cancel qubesctl state.apply sys-syncthing.clean elif test "$1" = "1"; then ## Upgrade @@ -121,6 +120,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jun 25 2024 Ben Grande - 4facf45 +- feat: use native TCP socket with Qrexec + * Mon Jun 24 2024 Ben Grande - 22e2a2e - chore: add copyright to systemd services diff --git a/salt/ansible/README.md b/salt/ansible/README.md index 13ce64e..8fbd584 100644 --- a/salt/ansible/README.md +++ b/salt/ansible/README.md @@ -26,28 +26,13 @@ sudo qubesctl top.disable ansible ```sh sudo qubesctl state.apply ansible.create sudo qubesctl --skip-dom0 --targets=tpl-ansible state.apply ansible.install -sudo qubesctl --skip-dom0 --targets=ansible state.apply ansible.configure -sudo qubesctl --skip-dom0 --targets=ansible-minion state.apply ansible.configure-minion ``` ## Usage -Configure the control node `ansible`: -```sh -ssh-keygen -t ed25519 -N "" -f ~/.ssh/id_ansible -qvm-copy ~/.ssh/id_ansible.pub -``` -Select `ansible-minion` as the target qube for the copy operation. - -Configure the minion `ansible-minion`: -```sh -mkdir -m 0700 ~/.ssh -cat ~/QubesIncoming/ansible/id_ansible.pub >> ~/.ssh/authorized_keys -``` - -From the control node `ansible`, test connection to the minion +From the control node `ansible`, test connection to the managed node `ansible-minion`: ```sh -ssh minion +ssh -p 1840 user@127.0.0.1 ``` diff --git a/salt/ansible/configure-minion.sls b/salt/ansible/configure-minion.sls deleted file mode 100644 index c2b9c63..0000000 --- a/salt/ansible/configure-minion.sls +++ /dev/null @@ -1,30 +0,0 @@ -{# -SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. - -SPDX-License-Identifier: AGPL-3.0-or-later -#} - -{% if grains['nodename'] != 'dom0' -%} - -include: - - utils.tools.zsh.touch-zshrc - -"{{ slsdotpath }}-minion-start-sshd": - file.managed: - - name: /rw/config/rc.local.d/50-ansible.rc - - source: salt://{{ slsdotpath }}/files/client/rc.local.d/50-ansible.rc - - mode: '0755' - - user: root - - group: root - - makedirs: True - -"{{ slsdotpath }}-minion-ssh-authorized_keys": - file.touch: - - name: /home/user/.ssh/authorized_keys - - dir_mode: '0700' - - file_mode: '0600' - - user: user - - group: user - - makedirs: True - -{% endif -%} diff --git a/salt/ansible/configure-minion.top b/salt/ansible/configure-minion.top deleted file mode 100644 index 67e89d5..0000000 --- a/salt/ansible/configure-minion.top +++ /dev/null @@ -1,9 +0,0 @@ -{# -SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. - -SPDX-License-Identifier: AGPL-3.0-or-later -#} - -base: - 'ansible': - - ansible.configure-minion diff --git a/salt/ansible/configure.sls b/salt/ansible/configure.sls deleted file mode 100644 index bf0abb7..0000000 --- a/salt/ansible/configure.sls +++ /dev/null @@ -1,31 +0,0 @@ -{# -SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. - -SPDX-License-Identifier: AGPL-3.0-or-later -#} - -{% if grains['nodename'] != 'dom0' -%} - -include: - - utils.tools.zsh.touch-zshrc - -"{{ slsdotpath }}-autostart-ssh-over-qrexec": - file.managed: - - name: /rw/config/rc.local.d/50-ansible.rc - - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-ansible.rc - - mode: '0755' - - user: root - - group: root - - makedirs: True - -"{{ slsdotpath }}-ssh-config": - file.managed: - - name: /home/user/.ssh/config - - source: salt://{{ slsdotpath }}/files/server/ssh-config - - file_mode: '0600' - - dir_mode: '0700' - - user: root - - group: root - - makedirs: True - -{% endif -%} diff --git a/salt/ansible/configure.top b/salt/ansible/configure.top deleted file mode 100644 index b413a8e..0000000 --- a/salt/ansible/configure.top +++ /dev/null @@ -1,9 +0,0 @@ -{# -SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. - -SPDX-License-Identifier: AGPL-3.0-or-later -#} - -base: - 'ansible': - - ansible.configure diff --git a/salt/ansible/create.sls b/salt/ansible/create.sls index c07b4e2..5722cb6 100644 --- a/salt/ansible/create.sls +++ b/salt/ansible/create.sls @@ -46,6 +46,8 @@ prefs: features: - set: - menu-items: "qubes-run-terminal.desktop qubes-start.desktop" +- enable: + - service.ssh-client - disable: - service.cups - service.cups-browsed @@ -73,6 +75,9 @@ prefs: features: - set: - menu-items: "qubes-run-terminal.desktop qubes-start.desktop" +- enable: + - servicevm + - service.ssh-server - disable: - service.cups - service.cups-browsed diff --git a/salt/ansible/files/admin/policy/default.policy b/salt/ansible/files/admin/policy/default.policy index ff63687..1146cc6 100644 --- a/salt/ansible/files/admin/policy/default.policy +++ b/salt/ansible/files/admin/policy/default.policy @@ -2,5 +2,5 @@ # # SPDX-License-Identifier: AGPL-3.0-or-later -qubes.ConnectTCP +22 {{ sls_path }} @default allow target={{ sls_path }}-minion +qusal.Ssh * {{ sls_path }} @default allow target={{ sls_path }}-minion ## vim:ft=qrexecpolicy diff --git a/salt/ansible/files/client/99-sshd-ansible.conf b/salt/ansible/files/client/99-sshd-ansible.conf deleted file mode 100644 index 529ee4f..0000000 --- a/salt/ansible/files/client/99-sshd-ansible.conf +++ /dev/null @@ -1,7 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. -# -# SPDX-License-Identifier: AGPL-3.0-or-later - -PubkeyAuthentication yes - -# vim: ft=sshdconfig diff --git a/salt/ansible/files/client/rc.local.d/50-ansible.rc b/salt/ansible/files/client/rc.local.d/50-ansible.rc deleted file mode 100755 index 4447a22..0000000 --- a/salt/ansible/files/client/rc.local.d/50-ansible.rc +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh -# vim: ft=sh -# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. -# -# SPDX-License-Identifier: AGPL-3.0-or-later - -systemctl unmask ssh -systemctl --no-block start ssh diff --git a/salt/ansible/files/server/99-ssh-ansible.conf b/salt/ansible/files/server/99-ssh-ansible.conf deleted file mode 100644 index f15b137..0000000 --- a/salt/ansible/files/server/99-ssh-ansible.conf +++ /dev/null @@ -1,12 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. -# -# SPDX-License-Identifier: AGPL-3.0-or-later - -Host minion ansible-minion - Hostname 127.0.0.1 - Port 22000 - User user - IdentityFile ~/.ssh/id_ansible.pub - PreferredAuthentications publickey - -# vim: ft=sshconfig diff --git a/salt/ansible/files/server/rc.local.d/50-ansible.rc b/salt/ansible/files/server/rc.local.d/50-ansible.rc deleted file mode 100755 index 625bf84..0000000 --- a/salt/ansible/files/server/rc.local.d/50-ansible.rc +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh -# vim: ft=sh -# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. -# -# SPDX-License-Identifier: AGPL-3.0-or-later - -qvm-connect-tcp 22000:@default:22 diff --git a/salt/ansible/init.top b/salt/ansible/init.top index d9a653e..2e93bf8 100644 --- a/salt/ansible/init.top +++ b/salt/ansible/init.top @@ -10,7 +10,3 @@ base: - ansible.create 'tpl-ansible': - ansible.install - 'ansible': - - ansible.configure - 'ansible-minion': - - ansible.configure-minion diff --git a/salt/ansible/install.sls b/salt/ansible/install.sls index a512335..83c879c 100644 --- a/salt/ansible/install.sls +++ b/salt/ansible/install.sls @@ -9,7 +9,10 @@ SPDX-License-Identifier: AGPL-3.0-or-later include: - .install-repo - utils.tools.common.update - - utils.tools.zsh + - dotfiles.copy-sh + - dotfiles.copy-x11 + - sys-ssh.install + - sys-ssh.install-client - ssh.install "{{ slsdotpath }}-installed": @@ -26,7 +29,6 @@ include: - ansible-lint - python3-argcomplete - python3-jmespath - - openssh-server - qubes-core-agent-passwordless-root - bash-completion - man-db @@ -48,20 +50,4 @@ include: - skip_suggestions: True - pkgs: {{ pkg.pkg|sequence|yaml }} -"{{ slsdotpath }}-ssh-config": - file.managed: - - name: /etc/ssh/ssh_config.d/99-ssh-ansible.conf - - source: salt://{{ slsdotpath }}/files/server/99-ssh-ansible.conf - - mode: '0644' - - user: root - - group: root - -"{{ slsdotpath }}-sshd-config": - file.managed: - - name: /etc/ssh/sshd_config.d/99-sshd-ansible.conf - - source: salt://{{ slsdotpath }}/files/client/99-sshd-ansible.conf - - mode: '0644' - - user: root - - group: root - {% endif -%} diff --git a/salt/docker/README.md b/salt/docker/README.md index 991986c..d8e1939 100644 --- a/salt/docker/README.md +++ b/salt/docker/README.md @@ -14,10 +14,12 @@ Setup docker in Qubes OS with the Docker repository. ## Installation +TODO: remove installation steps or provide a docker qube. + - Top ```sh sudo qubesctl top.enable docker -sudo qubesctl --targets=tpl-qubes-builder,qubes-builder state.apply +sudo qubesctl --targets=tpl-qubes-builder state.apply sudo qubesctl top.disable docker ``` @@ -25,10 +27,15 @@ sudo qubesctl top.disable docker ```sh sudo qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply docker.install -sudo qubesctl --skip-dom0 --targets=qubes-builder state.apply docker.configure ``` +Enable the Docker and/or Podman service for qubes that will use it: +```sh +qvm-features QUBE service.docker 1 +qvm-features QUBE service.podman 1 +``` + ## Usage The only qubes specific configuration to docker is changing its [root diff --git a/salt/docker/configure.sls b/salt/docker/configure.sls deleted file mode 100644 index cd53c21..0000000 --- a/salt/docker/configure.sls +++ /dev/null @@ -1,18 +0,0 @@ -{# -SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. - -SPDX-License-Identifier: AGPL-3.0-or-later -#} - -{% if grains['nodename'] != 'dom0' -%} - -"{{ slsdotpath }}-rc.local": - file.managed: - - name: /rw/config/rc.local.d/50-docker.rc - - source: salt://{{ slsdotpath }}/files/client/rc.local.d/50-docker.rc - - mode: '0755' - - user: root - - group: root - - makedirs: True - -{% endif -%} diff --git a/salt/docker/configure.top b/salt/docker/configure.top deleted file mode 100644 index a3737de..0000000 --- a/salt/docker/configure.top +++ /dev/null @@ -1,9 +0,0 @@ -{# -SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. - -SPDX-License-Identifier: AGPL-3.0-or-later -#} - -base: - 'qubes-builder': - - docker.configure diff --git a/salt/docker/files/client/rc.local.d/50-docker.rc b/salt/docker/files/client/rc.local.d/50-docker.rc deleted file mode 100755 index a255d35..0000000 --- a/salt/docker/files/client/rc.local.d/50-docker.rc +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -# vim: ft=sh -# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. -# -# SPDX-License-Identifier: AGPL-3.0-or-later - -usermod -aG docker user -systemctl unmask docker -systemctl --no-block restart docker diff --git a/salt/docker/files/client/systemd/docker.service.d/50_qusal.conf b/salt/docker/files/client/systemd/docker.service.d/50_qusal.conf new file mode 100644 index 0000000..6a508ca --- /dev/null +++ b/salt/docker/files/client/systemd/docker.service.d/50_qusal.conf @@ -0,0 +1,8 @@ +# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later +# vim: ft=systemd +[Unit] +ConditionPathExists=/var/run/qubes-service/docker +After=qubes-sysinit.service +Before=qubes-qrexec-agent.service diff --git a/salt/docker/files/client/systemd/podman.service.d/50_qusal.conf b/salt/docker/files/client/systemd/podman.service.d/50_qusal.conf new file mode 100644 index 0000000..e06c17b --- /dev/null +++ b/salt/docker/files/client/systemd/podman.service.d/50_qusal.conf @@ -0,0 +1,8 @@ +# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later +# vim: ft=systemd +[Unit] +ConditionPathExists=/var/run/qubes-service/podman +After=qubes-sysinit.service +Before=qubes-qrexec-agent.service diff --git a/salt/docker/init.top b/salt/docker/init.top index 1d59ac6..ed1d15e 100644 --- a/salt/docker/init.top +++ b/salt/docker/init.top @@ -7,5 +7,3 @@ SPDX-License-Identifier: AGPL-3.0-or-later base: 'tpl-qubes-builder': - docker.install - 'qubes-builder': - - docker.configure diff --git a/salt/docker/install.sls b/salt/docker/install.sls index b706f68..97feeb4 100644 --- a/salt/docker/install.sls +++ b/salt/docker/install.sls @@ -52,4 +52,22 @@ include: - addusers: - user +"{{ slsdotpath }}-systemd": + file.recurse: + - name: /usr/lib/systemd/system/ + - source: salt://{{ slsdotpath }}/files/client/systemd/ + - dir_mode: '0755' + - file_mode: '0644' + - user: root + - group: root + - makedirs: True + +"{{ slsdotpath }}-unmask-docker": + service.unmasked: + - name: docker + +"{{ slsdotpath }}-enable-docker": + service.enabled: + - name: docker + {% endif -%} diff --git a/salt/electrum/README.md b/salt/electrum/README.md index 5310ea8..e6c6658 100644 --- a/salt/electrum/README.md +++ b/salt/electrum/README.md @@ -88,7 +88,7 @@ socat TCP4-LISTEN:50002,reuseaddr,fork,bind=127.0.0.1 TCP:192.168.2.10:50002 & In the qube `electrum`, add the `qvm-connect-tcp` command to the file `/rw/config/rc.local`: ```sh -qvm-connnect-tcp ::50002 +qvm-connect-tcp ::50002 ``` In the qube `electrum`, run as the user `user` the electrum configuration diff --git a/salt/mirage-builder/configure.sls b/salt/mirage-builder/configure.sls index bc6daed..9327777 100644 --- a/salt/mirage-builder/configure.sls +++ b/salt/mirage-builder/configure.sls @@ -13,7 +13,6 @@ include: - dotfiles.copy-sh - dotfiles.copy-ssh - dotfiles.copy-git - - docker.configure "{{ slsdotpath }}-opam-completion-and-hooks": file.managed: diff --git a/salt/mirage-builder/create.sls b/salt/mirage-builder/create.sls index 3aaad41..5b2f26a 100644 --- a/salt/mirage-builder/create.sls +++ b/salt/mirage-builder/create.sls @@ -37,6 +37,9 @@ prefs: - autostart: False - include_in_backups: True features: +- enable: + - service.docker + - service.podman - disable: - service.cups - service.cups-browsed diff --git a/salt/mirage-builder/files/client/keys/5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23.asc b/salt/mirage-builder/files/client/keys/5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23.asc index e7794c4..4427c4c 100644 --- a/salt/mirage-builder/files/client/keys/5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23.asc +++ b/salt/mirage-builder/files/client/keys/5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23.asc @@ -6,28 +6,36 @@ SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ 7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAHNNUdpdEh1YiAod2ViLWZs -b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBiBBMBCAAW -BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEIACATWFmi2oxlBh3wAsySNCNV4IPf -DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6 -9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws -+8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5 -4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O -j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48= -=HXDP ------END PGP PUBLIC KEY BLOCK----------BEGIN PGP PUBLIC KEY BLOCK----- - -xsBNBFmUaEEBCACzXTDt6ZnyaVtueZASBzgnAmK13q9Urgch+sKYeIhdymjuMQta -x15OklctmrZtqre5kwPUosG3/B2/ikuPYElcHgGPL4uL5Em6S5C/oozfkYzhwRrT -SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ -7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa -buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v -yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAHNNUdpdEh1YiAod2ViLWZs -b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBiBBMBCAAW -BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEIACATWFmi2oxlBh3wAsySNCNV4IPf -DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6 -9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws -+8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5 -4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O -j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48= -=HXDP +b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBoBBMBCAAc +BQJZlGhBCRBK7hj4Ov3rIwIbAwUJDBJ3/wIZAQAA0O4IAJd0k8M+urETyMvTqNTj +/U6nbqyOdKE4V93uUj5G7sNTfno7wod/Qjj6Zv5KodvA93HmEdQqsmVq5YJ5KGiw +cmGCpd/GqJRPaYSY0hSUSBqYHiHLusCJkPBpQTBhcEMtfVCB2J6fVeoX2DV0K1xf +CGblrSVB0viAxUMnmL5C55RuvbYZsTu8szXhkvIR96CtWbJ8QGaEf1/KSpWz8ept +Y/omf3UPfvdOjnsxc8jVEqPNaR9xC6Q6t53rBa/XgMY6IYyesnyYnc5O6JuexUFa +VjykRFtAiYfDaMARpXOmgMm0lhoBRKb/uMUaN3CSYTmE4pZweJcUi7eWgmoQljX2 +ut6ZAg0EZabFdgEQALI37i+IVAzpBCgqvQDZbSsZ0yhtMnA5myjZA+l7BvIGy4ve +s1bk6YetbBcCE8o2pQjI7N2rwyhLGhNO6ouSyhqGLEQv9fafKE4HFH0aRjP+gj1H +edhwtFoVChImhV863rWimQtTNtYB6GluBPwQqWfwmwQ2rT7ScOVZCLSHZD2gaaqW +BXOyTCZVnwt7K/gyDuE3qzDJnuahl+SSkPn5TtnZdW6sLORJJ+DjNvaUxEsmizZ4 +IBzvj0QKxfS3s4F+0X5iqCMheLFeybZGtSq9Tjs6Q61l4CG8Bh6dsLemv0WFrk3G +gFQRr7XUwr1bo5xGHC/FUJSsxRHoVNJnIL/9WldNO2tGU6qlTnAYxs/fOmf2B6o5 +cKXysXv7WAA8b+j5AVBMGxUSu7CLglaiCJC5DI7AAiUV7/t29rFZkam//Jbb4veC +4vvFocoVUaxrKGWK1BDldr4/WJKApJcPJF4Jtai1+oB6ak/JIjbkseHdJxcjo2B0 +dKtIFoWiPAB+DFs9MRDpp0iwocJCh+ucus1rdQ54YMaI44rRphXeOIQMYCi5q2Q1 +/arzkSiyPV/2VoKoAfdgskPt1xKd7WIKErmpFMHIy8jJ5IPQ1s2dUwU4alfJLJa0 +pvaV2m7wBYFAmwmz0WZgFxYAYEDamn4jFoKfqsEgcixRUVE3w5VkqwSwGRbLABEB +AAG0G0dpdEh1YiA8bm9yZXBseUBnaXRodWIuY29tPokCTgQTAQoAOBYhBJaEeaGv ++SfjfRpWa7VpDu67lSGUBQJlpsV2AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA +AAoJELVpDu67lSGUgy4QAKW9XAL416iKrQB2LElmxqAoenHVCswlau0xGLh5dVNN +p5f4/W6eEL8CZI7hfF3e5Gh6Me99aHgXSCK1QnxcqCJ6Oea4ZyrsNu3k6g7Um5ca +VbYFD4yIahhXDYHSw6FYM2sgFY479YvgvKRwacC2tFfChLRbHgwLJ3O1dBjmVycJ +Zpbyu+7taZ26g6KQfgcj3uuo3nz3p1ziIEpLHwtl/7joNEIIP/lJ8AKmUHPiGznN +6fxMvzN37PGMWtdvOi1rSNIMQYr1YY7jPnlLbFJwLrO/q/cGPU5HwGzlqh0a2ZqY +dnuwT3DREmgJ83H71xH+sTzZKs5oGlVTu6st7iWDvNpo2GoN01XzKa5caYglqsOC +uZ6IHlsdL50sXMtSROCi3hEWU9r1sWIm4k3pNz20y7lElD2X/MqbEMcgpawCV7lH +rm7MSrTgu6BNAF0SisbF9AKwXaBr2dwpMMyIBOFZO9mk4/c0n9q2FlGY4GkbgH2J +HqulFTwX/4yiQbh8gzCe+06FZAWITN1OQntTkkCQ+1MCZPf+bOfC08RTsOsVZIYB +2qAgw6XE0IF4a+PAtHSoYftwH2ocMY2gMuSNpQWm7m0+/j+K+RBoeUcnGNPQgszq +N60IDMqkqHjyubrm2aslfopWmPSvaQoyxwV/uztdo+UI0IV2z9gD7Sm49vMkpYp8 +=uMz0 -----END PGP PUBLIC KEY BLOCK----- diff --git a/salt/qubes-builder/configure.sls b/salt/qubes-builder/configure.sls index cddbb86..20d1934 100644 --- a/salt/qubes-builder/configure.sls +++ b/salt/qubes-builder/configure.sls @@ -13,7 +13,6 @@ include: - dotfiles.copy-sh - dotfiles.copy-ssh - dotfiles.copy-x11 - - docker.configure "{{ slsdotpath }}-makedir-src": file.directory: diff --git a/salt/qubes-builder/create.sls b/salt/qubes-builder/create.sls index fa00556..2c69073 100644 --- a/salt/qubes-builder/create.sls +++ b/salt/qubes-builder/create.sls @@ -61,11 +61,13 @@ prefs: - label: gray - audiovm: "" - memory: 400 -- maxmem: 800 +- maxmem: 1000 - vcpus: 1 - default_dispvm: dvm-{{ slsdotpath }} features: - enable: + - service.docker + - service.podman - service.split-gpg2-client - disable: - service.cups @@ -113,7 +115,7 @@ features: "{{ slsdotpath }}-shutdown-template": qvm.shutdown: - require: - - cmd: "{{ slsdotpath }}-install-salt-deps": + - cmd: "{{ slsdotpath }}-install-salt-deps" - name: tpl-{{ slsdotpath }} - flags: - force diff --git a/salt/qubes-builder/install-qubes-executor.sls b/salt/qubes-builder/install-qubes-executor.sls index 643f5af..09ac344 100644 --- a/salt/qubes-builder/install-qubes-executor.sls +++ b/salt/qubes-builder/install-qubes-executor.sls @@ -18,25 +18,26 @@ include: - pkgs: - qubes-core-agent-networking - qubes-core-agent-passwordless-root - - dnf-plugins-core - createrepo_c - debootstrap - devscripts + - dnf-plugins-core - dpkg-dev - git - mock - pbuilder - - which - perl-Digest-MD5 - perl-Digest-SHA + - pykickstart + - python3-debian - python3-pyyaml - python3-sh + - reprepro - rpm-build - rpmdevtools - - wget2 - - python3-debian - - reprepro - systemd-udev + - wget2 + - which "{{ slsdotpath }}-qubes-executor-add-user-to-mock-group": group.present: diff --git a/salt/qubes-builder/install.sls b/salt/qubes-builder/install.sls index 5a01ba4..bfe9272 100644 --- a/salt/qubes-builder/install.sls +++ b/salt/qubes-builder/install.sls @@ -30,26 +30,24 @@ include: ## Minimal template dependencies - qubes-core-agent-networking - qubes-core-agent-passwordless-root - ## Undocumented Infraestructure Mirrors dependencies - - python3-lxml - ## Undocumented Builder dependencies - - python3-click ## Dependencies: https://github.com/QubesOS/qubes-builderv2#dependencies - asciidoc - createrepo_c - devscripts - m4 - - mktorrent - mock - openssl - pacman - podman + - python3-click - python3-docker - python3-jinja2-cli + - python3-lxml - python3-packaging - python3-pathspec - python3-podman - python3-pyyaml + - rb_libtorrent-examples - reprepro - rpm - rpm-sign diff --git a/salt/sys-bitcoin/README.md b/salt/sys-bitcoin/README.md index b561bbf..af31acd 100644 --- a/salt/sys-bitcoin/README.md +++ b/salt/sys-bitcoin/README.md @@ -81,7 +81,7 @@ sudo qubesctl --skip-dom0 --targets=sys-bitcoin state.apply sys-bitcoin.configur Add the tag `bitcoin-client` to the client and install in the client template: ```sh -sudo qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-bitcoin.install-client +sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-bitcoin.install-client ``` @@ -212,11 +212,11 @@ In the Electrum Server qubes or any Bitcoin Client, `sys-electrumx`, `/rw/config/rc.local`: ```sh ## RPC -qvm-connnect-tcp ::8332 +qvm-connect-tcp ::8332 ## P2P (ElectRS) -qvm-connnect-tcp ::8333 +qvm-connect-tcp ::8333 ## ZMQPubHashBlock (Fulcrum) -qvm-connnect-tcp ::8433 +qvm-connect-tcp ::8433 ``` Still in the Electrum Server qube, you will have to add the RPC authentication diff --git a/salt/sys-cacher/README.md b/salt/sys-cacher/README.md index a387902..a77668b 100644 --- a/salt/sys-cacher/README.md +++ b/salt/sys-cacher/README.md @@ -89,7 +89,7 @@ The report page is available from `sys-cacher` and `sys-cacher-browser` at security wise, every client has administrative access to the cacher qube. You should add the following to the end of `sys-cacher` rc.local: ```sh -echo "AdminAuth: username:password" | tee /etc/qubes-apt-cacher-ng/zzz_security.conf +echo "AdminAuth: username:password" | tee /etc/qusal-apt-cacher-ng/zzz_security.conf ``` Where username and password are HTTP Auth strings. diff --git a/salt/sys-cacher/configure-browser.sls b/salt/sys-cacher/configure-browser.sls index f380784..d9a9656 100644 --- a/salt/sys-cacher/configure-browser.sls +++ b/salt/sys-cacher/configure-browser.sls @@ -18,6 +18,16 @@ include: - group: root - makedirs: True +"{{ slsdotpath }}-browser-systemd-services": + file.recurse: + - name: /rw/config/systemd/ + - source: salt://{{ slsdotpath }}/files/browser/systemd/ + - dir_mode: '0755' + - file_mode: '0644' + - user: root + - group: root + - makedirs: True + "{{ slsdotpath }}-browser-desktop-application": file.managed: - name: /home/user/.local/share/applications/cacher-browser.desktop diff --git a/salt/sys-cacher/create.sls b/salt/sys-cacher/create.sls index a8230d0..a9ca416 100644 --- a/salt/sys-cacher/create.sls +++ b/salt/sys-cacher/create.sls @@ -57,7 +57,7 @@ features: - enable: - servicevm - service.crond - - service.apt-cacher-ng + - service.acng-server - disable: - service.cups - service.cups-browsed @@ -87,6 +87,8 @@ prefs: - autostart: False - include_in_backups: False features: +- enable: + - service.acng-browser - disable: - service.cups - service.cups-browsed diff --git a/salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc b/salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc index 6693603..695d644 100755 --- a/salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc +++ b/salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc @@ -1,7 +1,9 @@ #!/bin/sh # vim: ft=sh -# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. # # SPDX-License-Identifier: AGPL-3.0-or-later -qvm-connect-tcp 8082:@default:8082 +cp -r /rw/config/systemd/qusal-acng-browser-forwarder* /usr/lib/systemd/system/ +systemctl daemon-reload +systemctl --no-block restart qusal-acng-browser-forwarder.socket diff --git a/salt/sys-cacher/files/browser/systemd/qusal-acng-browser-forwarder.socket b/salt/sys-cacher/files/browser/systemd/qusal-acng-browser-forwarder.socket new file mode 100644 index 0000000..05cc285 --- /dev/null +++ b/salt/sys-cacher/files/browser/systemd/qusal-acng-browser-forwarder.socket @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. /dev/null; then die "Command not found: git" fi +## TODO: subdirectory? dir+repo untrusted_repo="${QREXEC_SERVICE_ARGUMENT}" if test -z "${untrusted_repo}"; then diff --git a/salt/sys-pihole/configure-browser.sls b/salt/sys-pihole/configure-browser.sls index 25803bc..faa8ddb 100644 --- a/salt/sys-pihole/configure-browser.sls +++ b/salt/sys-pihole/configure-browser.sls @@ -7,7 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later {% if grains['nodename'] != 'dom0' %} -"{{ slsdotpath }}-browser-auto-tcp-connect": +"{{ slsdotpath }}-browser-rc.local": file.managed: - name: /rw/config/rc.local.d/50-sys-pihole.rc - source: salt://{{ slsdotpath }}/files/browser/rc.local.d/50-sys-pihole.rc @@ -16,6 +16,16 @@ SPDX-License-Identifier: AGPL-3.0-or-later - group: root - makedirs: True +"{{ slsdotpath }}-browser-systemd-services": + file.recurse: + - name: /rw/config/systemd/ + - source: salt://{{ slsdotpath }}/files/browser/systemd/ + - dir_mode: '0755' + - file_mode: '0644' + - user: root + - group: root + - makedirs: True + "{{ slsdotpath }}-browser-desktop-application": file.managed: - name: /home/user/.local/share/applications/pihole-browser.desktop diff --git a/salt/sys-pihole/create.sls b/salt/sys-pihole/create.sls index 87afc40..bfc7ef6 100644 --- a/salt/sys-pihole/create.sls +++ b/salt/sys-pihole/create.sls @@ -78,6 +78,8 @@ prefs: - maxmem: 600 - include_in_backups: False features: +- enable: + - service.http-client - disable: - service.cups - service.cups-browsed diff --git a/salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc b/salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc index 02f54c8..66c34fc 100755 --- a/salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc +++ b/salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc @@ -1,7 +1,9 @@ #!/bin/sh # vim: ft=sh -# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. # # SPDX-License-Identifier: AGPL-3.0-or-later -qvm-connect-tcp 80:@default:80 +cp -r /rw/config/systemd/qubes-http-forwarder* /usr/lib/systemd/system/ +systemctl daemon-reload +systemctl --no-block restart qubes-http-forwarder.socket diff --git a/salt/sys-ssh/files/client/systemd/qubes-ssh-forwarder.socket b/salt/sys-pihole/files/browser/systemd/qubes-http-forwarder.socket similarity index 59% rename from salt/sys-ssh/files/client/systemd/qubes-ssh-forwarder.socket rename to salt/sys-pihole/files/browser/systemd/qubes-http-forwarder.socket index 66735e4..50892a6 100644 --- a/salt/sys-ssh/files/client/systemd/qubes-ssh-forwarder.socket +++ b/salt/sys-pihole/files/browser/systemd/qubes-http-forwarder.socket @@ -3,12 +3,13 @@ # SPDX-License-Identifier: AGPL-3.0-or-later [Unit] -Description=Forward connection to SSH over Qrexec +Description=Forward HTTP connection over Qrexec After=qubes-sysinit.service -ConditionPathExists=/var/run/qubes-service/ssh-setup +Before=qubes-qrexec-agent.service +ConditionPathExists=/var/run/qubes-service/http-client [Socket] -ListenStream=127.0.0.1:840 +ListenStream=127.0.0.1:80 BindToDevice=lo Accept=true diff --git a/salt/sys-pihole/files/browser/systemd/qubes-http-forwarder@.service b/salt/sys-pihole/files/browser/systemd/qubes-http-forwarder@.service new file mode 100644 index 0000000..4eeee8b --- /dev/null +++ b/salt/sys-pihole/files/browser/systemd/qubes-http-forwarder@.service @@ -0,0 +1,11 @@ +# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. -# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. -# -# SPDX-License-Identifier: AGPL-3.0-or-later - -[Unit] -Description=Print over Qrexec -After=qubes-sysinit.service -After=qubes-qrexec-agent.service -ConditionPathExists=/var/run/qubes-service/print-setup - -[Service] -ExecStart=/usr/bin/socat TCP4-LISTEN:631,reuseaddr,fork,end-close EXEC:"qrexec-client-vm @default qusal.Print" -Restart=on-failure -RestartSec=3 - -# Hardening -ProtectSystem=full - -SystemCallArchitectures=native -MemoryDenyWriteExecute=true -NoNewPrivileges=true - -[Install] -WantedBy=multi-user.target diff --git a/salt/sys-print/files/client/systemd/qusal-print-forwarder.socket b/salt/sys-print/files/client/systemd/qusal-print-forwarder.socket new file mode 100644 index 0000000..6c82b97 --- /dev/null +++ b/salt/sys-print/files/client/systemd/qusal-print-forwarder.socket @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. SPDX-License-Identifier: AGPL-3.0-or-later #} -"{{ slsdotpath }}-installed-client": - pkg.installed: - - require: - - sls: utils.tools.common.update - - install_recommends: False - - skip_suggestions: True - - pkgs: - - socat - -"{{ slsdotpath }}-client-systemd-print-forwarder": - file.managed: - - name: /usr/lib/systemd/system/qusal-print-forwarder.service - - source: salt://{{ slsdotpath }}/files/client/systemd/qusal-print-forwarder.service - - mode: '0644' +"{{ slsdotpath }}-client-systemd": + file.recurse: + - name: /usr/lib/systemd/system/ + - source: salt://{{ slsdotpath }}/files/client/systemd/ + - file_mode: '0644' + - dir_mode: '0755' - user: root - group: root - makedirs: True -"{{ slsdotpath }}-enable-systemd-service-print-forwarder": +"{{ slsdotpath }}-enable-systemd-service-print-forwarder.socket": service.enabled: - - name: qusal-print-forwarder.service + - name: qusal-print-forwarder.socket diff --git a/salt/sys-rsync/README.md b/salt/sys-rsync/README.md index 4c5dfac..e043b6e 100644 --- a/salt/sys-rsync/README.md +++ b/salt/sys-rsync/README.md @@ -49,7 +49,7 @@ sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-rsync.install-clien The client qube requires the Rsync forwarder service to be enabled: ``` -qvm-features QUBE service.rsync-setup 1 +qvm-features QUBE service.rsync-client 1 ``` ## Access Control diff --git a/salt/sys-rsync/configure.sls b/salt/sys-rsync/configure.sls index b4aaf9f..6e984b5 100644 --- a/salt/sys-rsync/configure.sls +++ b/salt/sys-rsync/configure.sls @@ -1,6 +1,6 @@ {# SPDX-FileCopyrightText: 2022 unman -SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. SPDX-License-Identifier: AGPL-3.0-or-later #} @@ -8,15 +8,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later include: - dev.home-cleanup -"{{ slsdotpath }}-start-rsync-on-boot": - file.managed: - - name: /rw/config/rc.local.d/50-sys-rsync.rc - - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-rsync.rc - - mode: '0755' - - user: root - - group: root - - makedirs: True - "{{ slsdotpath }}-creates-local-rsync-configuration-dir": file.directory: - name: /usr/local/etc/rsync.d diff --git a/salt/sys-rsync/create.sls b/salt/sys-rsync/create.sls index 74cce5f..84ba6ec 100644 --- a/salt/sys-rsync/create.sls +++ b/salt/sys-rsync/create.sls @@ -41,6 +41,7 @@ prefs: features: - enable: - servicevm + - service.rsync-server - disable: - service.cups - service.cups-browsed diff --git a/salt/sys-rsync/files/client/systemd/qubes-rsync-forwarder.socket b/salt/sys-rsync/files/client/systemd/qusal-rsync-forwarder.socket similarity index 71% rename from salt/sys-rsync/files/client/systemd/qubes-rsync-forwarder.socket rename to salt/sys-rsync/files/client/systemd/qusal-rsync-forwarder.socket index 9e06c1d..607a2cc 100644 --- a/salt/sys-rsync/files/client/systemd/qubes-rsync-forwarder.socket +++ b/salt/sys-rsync/files/client/systemd/qusal-rsync-forwarder.socket @@ -3,9 +3,9 @@ # SPDX-License-Identifier: AGPL-3.0-or-later [Unit] -Description=Forward connection to Rsync over Qrexec +Description=Forward Rsync connection over Qrexec After=qubes-sysinit.service -ConditionPathExists=/var/run/qubes-service/rsync-setup +ConditionPathExists=/var/run/qubes-service/rsync-client [Socket] ListenStream=127.0.0.1:1839 diff --git a/salt/sys-rsync/files/client/systemd/qubes-rsync-forwarder@.service b/salt/sys-rsync/files/client/systemd/qusal-rsync-forwarder@.service similarity index 82% rename from salt/sys-rsync/files/client/systemd/qubes-rsync-forwarder@.service rename to salt/sys-rsync/files/client/systemd/qusal-rsync-forwarder@.service index 607858d..aa0e2c7 100644 --- a/salt/sys-rsync/files/client/systemd/qubes-rsync-forwarder@.service +++ b/salt/sys-rsync/files/client/systemd/qusal-rsync-forwarder@.service @@ -3,7 +3,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later [Unit] -Description=Forward connection to Rsync over Qrexec +Description=Forward Rsync connection over Qrexec [Service] ExecStart=/usr/bin/qrexec-client-vm @default qusal.Rsync diff --git a/salt/sys-rsync/files/server/rc.local.d/50-sys-rsync.rc b/salt/sys-rsync/files/server/rc.local.d/50-sys-rsync.rc deleted file mode 100755 index 5bc7a99..0000000 --- a/salt/sys-rsync/files/server/rc.local.d/50-sys-rsync.rc +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh -# vim: ft=sh -# SPDX-FileCopyrightText: 2022 unman -# -# SPDX-License-Identifier: AGPL-3.0-or-later - -systemctl unmask rsync -systemctl --no-block restart rsync diff --git a/salt/sys-rsync/files/server/systemd/rsync.service.d/50_qusal.conf b/salt/sys-rsync/files/server/systemd/rsync.service.d/50_qusal.conf new file mode 100644 index 0000000..c44f0c0 --- /dev/null +++ b/salt/sys-rsync/files/server/systemd/rsync.service.d/50_qusal.conf @@ -0,0 +1,8 @@ +# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later +# vim: ft=systemd +[Unit] +ConditionPathExists=/var/run/qubes-service/rsync-server +After=qubes-sysinit.service +Before=qubes-qrexec-agent.service diff --git a/salt/sys-rsync/install-client.sls b/salt/sys-rsync/install-client.sls index f18e5f5..735f08d 100644 --- a/salt/sys-rsync/install-client.sls +++ b/salt/sys-rsync/install-client.sls @@ -30,8 +30,8 @@ include: - group: root - makedirs: True -"{{ slsdotpath }}-client-systemd-start-qubes-rsync-forwarder.socket": +"{{ slsdotpath }}-client-systemd-enable-qusal-rsync-forwarder.socket": service.enabled: - - name: qubes-rsync-forwarder.socket + - name: qusal-rsync-forwarder.socket {% endif -%} diff --git a/salt/sys-rsync/install.sls b/salt/sys-rsync/install.sls index 69200b3..ebffbb7 100644 --- a/salt/sys-rsync/install.sls +++ b/salt/sys-rsync/install.sls @@ -20,16 +20,22 @@ include: - rsync - man-db -"{{ slsdotpath }}-stop-rsync": - service.dead: +"{{ slsdotpath }}-systemd": + file.recurse: + - name: /usr/lib/systemd/system/ + - source: salt://{{ slsdotpath }}/files/server/systemd/ + - dir_mode: '0755' + - file_mode: '0644' + - user: root + - group: root + - makedirs: True + +"{{ slsdotpath }}-unmask-rsync": + service.unmasked: - name: rsync -"{{ slsdotpath }}-disable-rsync": - service.disabled: - - name: rsync - -"{{ slsdotpath }}-mask-rsync": - service.masked: +"{{ slsdotpath }}-enable-rsync": + service.enabled: - name: rsync "{{ slsdotpath }}-set-rsyncd.conf": diff --git a/salt/sys-ssh-agent/README.md b/salt/sys-ssh-agent/README.md index 12f608d..54ed6b6 100644 --- a/salt/sys-ssh-agent/README.md +++ b/salt/sys-ssh-agent/README.md @@ -150,7 +150,7 @@ Or you can manually add the key to the agent which are not located under the `~/.ssh/identities.d` directory so they aren't automatically added (substitute AGENT, SECS, and LIFE for their appropriate values): ```sh -SSH_AUTH_SOCK="/run/user/1000/qubes-ssh-agent/.sock" ssh-add -t -f +SSH_AUTH_SOCK="/run/user/1000/qusal-ssh-agent/.sock" ssh-add -t -f ``` #### Reload agent @@ -177,17 +177,17 @@ qvm-ssh-agent ls Enable and start the connection to the SSH Agent via Qrexec for specified ``: ```sh -sudo systemctl --no-block restart qubes-ssh-agent-forwarder@.service -sudo systemctl --no-block restart qubes-ssh-agent-forwarder@personal.service +sudo systemctl --no-block restart qusal-ssh-agent-forwarder@.service +sudo systemctl --no-block restart qusal-ssh-agent-forwarder@personal.service ``` You can start the service on boot if you place the above line `/rw/config/rc.local` of the client. -The ssh-agent socket will be at `/tmp/qubes-ssh-agent-forwarder/.sock`. +The ssh-agent socket will be at `/tmp/qusal-ssh-agent-forwarder/.sock`. You can test the connection is working with: ```sh -SSH_AUTH_SOCK="/tmp/qubes-ssh-agent-forwarder/personal.sock" ssh-add -l +SSH_AUTH_SOCK="/tmp/qusal-ssh-agent-forwarder/personal.sock" ssh-add -l ``` #### Single agent per client @@ -196,8 +196,8 @@ You might want to set the `SSH_AUTH_SOCK` and `SSH_AGENT_PID` environment variables to point to the `work` agent so every connection will use the same agent: ```sh -echo 'export SSH_AUTH_SOCK=/tmp/qubes-ssh-agent-forwarder/work.sock; -SSH_AGENT_PID="$(pgrep -f "/tmp/qubes-ssh-agent-forwarder/work.sock")"; +echo 'export SSH_AUTH_SOCK=/tmp/qusal-ssh-agent-forwarder/work.sock; +SSH_AGENT_PID="$(pgrep -f "/tmp/qusal-ssh-agent-forwarder/work.sock")"; ' | tee -a ~/.profile ``` @@ -210,19 +210,19 @@ the `IdentityAgent` option. You can control the SSH agent via SSH command-line option: ```sh -ssh -o IdentityAgent=/tmp/qubes-ssh-agent-forwarder/personal.sock personal-site.com -ssh -o IdentityAgent=/tmp/qubes-ssh-agent-forwarder/work.sock work-site.com +ssh -o IdentityAgent=/tmp/qusal-ssh-agent-forwarder/personal.sock personal-site.com +ssh -o IdentityAgent=/tmp/qusal-ssh-agent-forwarder/work.sock work-site.com ``` You can control the SSH agent via SSH configuration: ```sshconfig Host personal - IdentityAgent /tmp/qubes-ssh-agent-forwarder/personal.sock + IdentityAgent /tmp/qusal-ssh-agent-forwarder/personal.sock ... Host work - IdentityAgent /tmp/qubes-ssh-agent-forwarder/work.sock + IdentityAgent /tmp/qusal-ssh-agent-forwarder/work.sock ... ``` ## Credits -- [Unman](https://github.com/unman/qubes-ssh-agent) +- [Unman](https://github.com/unman/qusal-ssh-agent) diff --git a/salt/sys-ssh-agent/files/client/systemd/qubes-ssh-agent-forwarder@.service b/salt/sys-ssh-agent/files/client/systemd/qusal-ssh-agent-forwarder@.service similarity index 73% rename from salt/sys-ssh-agent/files/client/systemd/qubes-ssh-agent-forwarder@.service rename to salt/sys-ssh-agent/files/client/systemd/qusal-ssh-agent-forwarder@.service index dddc67f..b841abb 100644 --- a/salt/sys-ssh-agent/files/client/systemd/qubes-ssh-agent-forwarder@.service +++ b/salt/sys-ssh-agent/files/client/systemd/qusal-ssh-agent-forwarder@.service @@ -1,9 +1,9 @@ -# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. # # SPDX-License-Identifier: AGPL-3.0-or-later [Unit] -Description=SSH Agent Forwarder to Qrexec SSH Agent %i +Description=Forward SSH Agent %i over Qrexec [Service] User=user diff --git a/salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent b/salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent index edbfd1b..ed2ae5e 100755 --- a/salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent +++ b/salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent @@ -1,12 +1,12 @@ #!/bin/sh -# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. # # SPDX-License-Identifier: AGPL-3.0-or-later set -eu -service="qubes-ssh-agent" +service="qusal-ssh-agent" usage(){ echo "Usage: ${0##*/} [ls|add] diff --git a/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent b/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent index 48438db..a9a1218 100644 --- a/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent +++ b/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent @@ -24,7 +24,7 @@ if test "${#untrusted_agent}" -gt 128; then fi agent="${untrusted_agent}" -socket="/tmp/qubes-ssh-agent/${agent}.sock" +socket="/tmp/qusal-ssh-agent/${agent}.sock" qvm-ssh-agent add "${agent}" >/dev/null exec socat STDIO UNIX-CLIENT:"${socket}" diff --git a/salt/sys-ssh/README.md b/salt/sys-ssh/README.md index 1cb9ffd..f066236 100644 --- a/salt/sys-ssh/README.md +++ b/salt/sys-ssh/README.md @@ -39,7 +39,6 @@ sudo qubesctl top.disable sys-ssh ```sh sudo qubesctl state.apply sys-ssh.create sudo qubesctl --skip-dom0 --targets=tpl-sys-ssh state.apply sys-ssh.install -sudo qubesctl --skip-dom0 --targets=sys-ssh state.apply sys-ssh.configure ``` @@ -50,7 +49,7 @@ sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-ssh.install-client The client qube requires the SSH forwarder service to be enabled: ``` -qvm-features QUBE service.ssh-setup 1 +qvm-features QUBE service.ssh-client 1 ``` ## Access Control diff --git a/salt/sys-ssh/configure.sls b/salt/sys-ssh/configure.sls deleted file mode 100644 index f356cd9..0000000 --- a/salt/sys-ssh/configure.sls +++ /dev/null @@ -1,30 +0,0 @@ -{# -SPDX-FileCopyrightText: 2022 unman -SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. - -SPDX-License-Identifier: AGPL-3.0-or-later -#} - -{% if grains['nodename'] != 'dom0' -%} - -include: - - dev.home-cleanup - -"{{ slsdotpath }}-start-ssh-on-boot": - file.managed: - - name: /rw/config/rc.local.d/50-sys-ssh.rc - - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-ssh.rc - - mode: '0755' - - user: root - - group: root - - makedirs: True - -"{{ slsdotpath }}-creates-home-ssh-dir": - file.directory: - - name: /home/user/.ssh - - mode: '0700' - - user: user - - group: user - - makedirs: True - -{% endif -%} diff --git a/salt/sys-ssh/configure.top b/salt/sys-ssh/configure.top deleted file mode 100644 index 5dc5060..0000000 --- a/salt/sys-ssh/configure.top +++ /dev/null @@ -1,9 +0,0 @@ -{# -SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. - -SPDX-License-Identifier: AGPL-3.0-or-later -#} - -base: - 'sys-ssh': - - sys-ssh.configure diff --git a/salt/sys-ssh/create.sls b/salt/sys-ssh/create.sls index 74cce5f..d6ca3d6 100644 --- a/salt/sys-ssh/create.sls +++ b/salt/sys-ssh/create.sls @@ -41,6 +41,7 @@ prefs: features: - enable: - servicevm + - service.ssh-server - disable: - service.cups - service.cups-browsed diff --git a/salt/sys-ssh/files/client/ssh_config.d/50-qusal-sys-ssh.conf b/salt/sys-ssh/files/client/ssh_config.d/50-qusal-sys-ssh.conf new file mode 100644 index 0000000..1e2e625 --- /dev/null +++ b/salt/sys-ssh/files/client/ssh_config.d/50-qusal-sys-ssh.conf @@ -0,0 +1,11 @@ +# vim: ft=sshconfig + +# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +Host default-qubes-server + Hostname 127.0.0.1 + User user + Port 1840 + StrictHostKeyChecking no diff --git a/salt/sys-ssh/files/client/systemd/qusal-ssh-forwarder.socket b/salt/sys-ssh/files/client/systemd/qusal-ssh-forwarder.socket new file mode 100644 index 0000000..bd4a7ba --- /dev/null +++ b/salt/sys-ssh/files/client/systemd/qusal-ssh-forwarder.socket @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. -# -# SPDX-License-Identifier: AGPL-3.0-or-later - -systemctl unmask ssh -systemctl --no-block restart ssh diff --git a/salt/sys-ssh/files/server/sshd_config.d/sys-ssh.conf b/salt/sys-ssh/files/server/sshd_config.d/50-qusal-sys-ssh.conf similarity index 100% rename from salt/sys-ssh/files/server/sshd_config.d/sys-ssh.conf rename to salt/sys-ssh/files/server/sshd_config.d/50-qusal-sys-ssh.conf diff --git a/salt/sys-ssh/files/server/systemd/ssh.service.d/50_qusal.conf b/salt/sys-ssh/files/server/systemd/ssh.service.d/50_qusal.conf new file mode 100644 index 0000000..5677eec --- /dev/null +++ b/salt/sys-ssh/files/server/systemd/ssh.service.d/50_qusal.conf @@ -0,0 +1,8 @@ +# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later +# vim: ft=systemd +[Unit] +ConditionPathExists=/var/run/qubes-service/ssh-server +After=qubes-sysinit.service +Before=qubes-qrexec-agent.service diff --git a/salt/sys-ssh/init.top b/salt/sys-ssh/init.top index 581c2b0..e41cd4b 100644 --- a/salt/sys-ssh/init.top +++ b/salt/sys-ssh/init.top @@ -10,5 +10,3 @@ base: - sys-ssh.create 'tpl-sys-ssh': - sys-ssh.install - 'sys-ssh': - - sys-ssh.configure diff --git a/salt/sys-ssh/install-client.sls b/salt/sys-ssh/install-client.sls index 6f51717..ebeca3d 100644 --- a/salt/sys-ssh/install-client.sls +++ b/salt/sys-ssh/install-client.sls @@ -28,6 +28,15 @@ include: - skip_suggestions: True - pkgs: {{ pkg.pkg|sequence|yaml }} +"{{ slsdotpath }}-ssh-config": + file.managed: + - name: /etc/ssh/ssh_config.d/50-qusal-{{ slsdotpath }}.conf + - source: salt://{{ slsdotpath }}/files/client/ssh_config.d/50-qusal-{{ slsdotpath }}.conf + - mode: '0644' + - user: root + - group: root + - makedirs: True + "{{ slsdotpath }}-client-systemd": file.recurse: - name: /usr/lib/systemd/system/ @@ -38,8 +47,8 @@ include: - group: root - makedirs: True -"{{ slsdotpath }}-client-systemd-start-qubes-ssh-forwarder.socket": +"{{ slsdotpath }}-client-systemd-start-qusal-ssh-forwarder.socket": service.enabled: - - name: qubes-ssh-forwarder.socket + - name: qusal-ssh-forwarder.socket {% endif -%} diff --git a/salt/sys-ssh/install.sls b/salt/sys-ssh/install.sls index 1d06d71..4b3b030 100644 --- a/salt/sys-ssh/install.sls +++ b/salt/sys-ssh/install.sls @@ -20,16 +20,21 @@ include: - openssh-server - man-db -"{{ slsdotpath }}-stop-ssh": - service.dead: +"{{ slsdotpath }}-ssh-systemd-service": + file.managed: + - name: /usr/lib/systemd/system/ssh.service.d/50_qusal.conf + - source: salt://{{ slsdotpath }}/files/server/systemd/ssh.service.d/50_qusal.conf + - mode: '0644' + - user: root + - group: root + - makedirs: True + +"{{ slsdotpath }}-unmask-ssh": + service.unmasked: - name: ssh -"{{ slsdotpath }}-disable-ssh": - service.disabled: - - name: ssh - -"{{ slsdotpath }}-mask-ssh": - service.masked: +"{{ slsdotpath }}-enable-ssh": + service.enabled: - name: ssh "{{ slsdotpath }}-rpc": @@ -52,9 +57,9 @@ include: "{{ slsdotpath }}-sshd-config": file.managed: - - name: /etc/ssh/sshd_config.d/{{ slsdotpath }}.conf - - source: salt://{{ slsdotpath }}/files/server/sshd_config.d/{{ slsdotpath }}.conf - - mode: '0755' + - name: /etc/ssh/sshd_config.d/50-qusal-{{ slsdotpath }}.conf + - source: salt://{{ slsdotpath }}/files/server/sshd_config.d/50-qusal-{{ slsdotpath }}.conf + - mode: '0644' - user: root - group: root - makedirs: True diff --git a/salt/sys-syncthing/README.md b/salt/sys-syncthing/README.md index 3997b58..72f387a 100644 --- a/salt/sys-syncthing/README.md +++ b/salt/sys-syncthing/README.md @@ -52,9 +52,11 @@ Install Syncthing on the client template: sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-syncthing.install-client ``` -The client qube requires the split Syncthing service to be enabled: +The client qube requires the split Syncthing and the Syncthing Daemon service +to be enabled: ```sh -qvm-features QUBE service.syncthing-setup 1 +qvm-features QUBE service.syncthing-client 1 +qvm-features QUBE service.syncthing-server 1 ``` ## Access Control @@ -87,8 +89,8 @@ interface. In other words, it has control over the server functions, if the browser is compromised, it can compromise the server. To use the service, from the client, add a Remote Device, and copy the -`DeviceID` from the server qube. On the Advanced tab, under Addresses, change -`dynamic` to `tcp://127.0.0.1:22001` +`DeviceID` from the server qube. On the `Advanced` tab, under `Addresses`, +change `dynamic` to `tcp://127.0.0.1:22001` If the sender qube has no netvm set, under `Settings`, disable `Enable NAT traversal`, `Local Discovery`, `Global Discovery`, and `Enable Relaying` @@ -119,7 +121,6 @@ Uninstallation procedure: ```sh qvm-port-forward -a del -q sys-syncthing -n tcp -p 22000 qvm-port-forward -a del -q sys-syncthing -n udp -p 22000 -sudo qubesctl --skip-dom0 --targets=sys-syncthing state.apply sys-syncthing.cancel sudo qubesctl state.apply sys-syncthing.clean ``` diff --git a/salt/sys-syncthing/cancel.sls b/salt/sys-syncthing/cancel.sls deleted file mode 100644 index d8e93a2..0000000 --- a/salt/sys-syncthing/cancel.sls +++ /dev/null @@ -1,9 +0,0 @@ -{# -SPDX-FileCopyrightText: 2022 unman - -SPDX-License-Identifier: AGPL-3.0-or-later -#} - -"{{ slsdotpath }}-remove-service-from-rc.local": - file.absent: - - name: /rw/config/rc.local.d/50-sys-syncthing.rc diff --git a/salt/sys-syncthing/cancel.top b/salt/sys-syncthing/cancel.top deleted file mode 100644 index 4aaf91c..0000000 --- a/salt/sys-syncthing/cancel.top +++ /dev/null @@ -1,9 +0,0 @@ -{# -SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. - -SPDX-License-Identifier: AGPL-3.0-or-later -#} - -base: - 'sys-syncthing': - - sys-syncthing.configure diff --git a/salt/sys-syncthing/clean.sls b/salt/sys-syncthing/clean.sls index 74b2f51..d239d4c 100644 --- a/salt/sys-syncthing/clean.sls +++ b/salt/sys-syncthing/clean.sls @@ -11,5 +11,11 @@ SPDX-License-Identifier: AGPL-3.0-or-later - flags: - force +"{{ slsdotpath }}-stop-syncthing-from-starting": + qvm.features: + - name: {{ slsdotpath }} + - disable: + - service.syncthing-server + {% from 'utils/macros/policy.sls' import policy_unset with context -%} {{ policy_unset(sls_path, '80') }} diff --git a/salt/sys-syncthing/configure-browser.sls b/salt/sys-syncthing/configure-browser.sls index 7f6520c..4cce118 100644 --- a/salt/sys-syncthing/configure-browser.sls +++ b/salt/sys-syncthing/configure-browser.sls @@ -18,6 +18,15 @@ include: - group: root - makedirs: True +"{{ slsdotpath }}-browser-systemd-services": + file.recurse: + - name: /rw/config/systemd/ + - source: salt://{{ slsdotpath }}/files/browser/systemd/ + - dir_mode: '0755' + - file_mode: '0644' + - user: root + - group: root + - makedirs: True "{{ slsdotpath }}-browser-desktop-application": file.managed: diff --git a/salt/sys-syncthing/configure.sls b/salt/sys-syncthing/configure.sls index 6d7a9da..b5267f9 100644 --- a/salt/sys-syncthing/configure.sls +++ b/salt/sys-syncthing/configure.sls @@ -1,5 +1,4 @@ {# -SPDX-FileCopyrightText: 2022 unman SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. SPDX-License-Identifier: AGPL-3.0-or-later @@ -7,12 +6,4 @@ SPDX-License-Identifier: AGPL-3.0-or-later include: - dotfiles.copy-xfce - -"{{ slsdotpath }}-rc.local": - file.managed: - - name: /rw/config/rc.local.d/50-sys-syncthing.rc - - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-syncthing.rc - - mode: '0755' - - user: root - - group: root - - makedirs: True + - dotfiles.copy-x11 diff --git a/salt/sys-syncthing/create.sls b/salt/sys-syncthing/create.sls index 4f8a8c0..2084381 100644 --- a/salt/sys-syncthing/create.sls +++ b/salt/sys-syncthing/create.sls @@ -56,6 +56,7 @@ prefs: features: - enable: - servicevm + - service.syncthing-server - disable: - service.cups - service.cups-browsed @@ -83,6 +84,8 @@ prefs: - autostart: False - include_in_backups: False features: +- enable: + - service.syncthing-browser - disable: - service.cups - service.cups-browsed diff --git a/salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc b/salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc index 86e2956..471791f 100755 --- a/salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc +++ b/salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc @@ -1,7 +1,9 @@ #!/bin/sh # vim: ft=sh -# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. # # SPDX-License-Identifier: AGPL-3.0-or-later -qvm-connect-tcp 8384:@default:8384 +cp -r /rw/config/systemd/qusal-syncthing-browser-forwarder* /usr/lib/systemd/system/ +systemctl daemon-reload +systemctl --no-block restart qusal-syncthing-browser-forwarder.socket diff --git a/salt/sys-syncthing/files/browser/systemd/qusal-syncthing-browser-forwarder.socket b/salt/sys-syncthing/files/browser/systemd/qusal-syncthing-browser-forwarder.socket new file mode 100644 index 0000000..6e75053 --- /dev/null +++ b/salt/sys-syncthing/files/browser/systemd/qusal-syncthing-browser-forwarder.socket @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. -## SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. -## -## SPDX-License-Identifier: AGPL-3.0-or-later - -[Unit] -Description=Syncthing over Qrexec -After=qubes-sysinit.service -After=qubes-qrexec-agent.service -ConditionPathExists=/var/run/qubes-service/syncthing-setup - -[Service] -ExecStart=/usr/bin/socat TCP4-LISTEN:22001,reuseaddr,fork,end-close EXEC:"qrexec-client-vm @default qusal.Syncthing" -Restart=on-failure -RestartSec=3 - -# Hardening -ProtectSystem=full -PrivateTmp=true -SystemCallArchitectures=native -MemoryDenyWriteExecute=true -NoNewPrivileges=true - -[Install] -WantedBy=multi-user.target diff --git a/salt/sys-syncthing/files/client/systemd/qusal-syncthing-forwarder.socket b/salt/sys-syncthing/files/client/systemd/qusal-syncthing-forwarder.socket new file mode 100644 index 0000000..9bdc39c --- /dev/null +++ b/salt/sys-syncthing/files/client/systemd/qusal-syncthing-forwarder.socket @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. -# -# SPDX-License-Identifier: AGPL-3.0-or-later - -systemctl unmask syncthing@user.service -systemctl --no-block restart syncthing@user.service diff --git a/salt/sys-syncthing/files/server/systemd/syncthing@.service.d/50_qusal.conf b/salt/sys-syncthing/files/server/systemd/syncthing@.service.d/50_qusal.conf new file mode 100644 index 0000000..e1eb701 --- /dev/null +++ b/salt/sys-syncthing/files/server/systemd/syncthing@.service.d/50_qusal.conf @@ -0,0 +1,8 @@ +# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later +# vim: ft=systemd +[Unit] +ConditionPathExists=/var/run/qubes-service/syncthing-server +After=qubes-sysinit.service +Before=qubes-qrexec-agent.service diff --git a/salt/sys-syncthing/install-client.sls b/salt/sys-syncthing/install-client.sls index ad4a472..c78be41 100644 --- a/salt/sys-syncthing/install-client.sls +++ b/salt/sys-syncthing/install-client.sls @@ -12,7 +12,7 @@ include: - utils.tools.common.update {% endif -%} -"{{ slsdotpath }}-installed": +"{{ slsdotpath }}-client-installed": pkg.installed: {% if grains['os_family']|lower == 'debian' -%} - require: @@ -22,38 +22,42 @@ include: - install_recommends: False - skip_suggestions: True - pkgs: - - socat - syncthing + - jq - man-db -{% set pkg = { - 'Debian': { - 'pkg': ['libpam-systemd'], - }, - 'RedHat': { - 'pkg': ['systemd-pam'], - }, -}.get(grains.os_family) -%} - -"{{ slsdotpath }}-installed-os-specific": - pkg.installed: - - require: - - sls: utils.tools.common.update - - install_recommends: False - - skip_suggestions: True - - pkgs: {{ pkg.pkg|sequence|yaml }} - -"{{ slsdotpath }}-set-systemd-qubes-syncthing-forwarder.service": - file.managed: - - name: /usr/lib/systemd/system/qubes-syncthing-forwarder.service - - source: salt://{{ slsdotpath }}/files/client/systemd/qubes-syncthing-forwarder.service +"{{ slsdotpath }}-client-systemd": + file.recurse: + - name: /usr/lib/systemd/system/ + - source: salt://{{ slsdotpath }}/files/client/systemd/ + - dir_mode: '0755' + - file_mode: '0644' - user: root - group: root - - mode: '0755' - makedirs: True -"{{ slsdotpath }}-enable-qubes-syncthing": +"{{ slsdotpath }}-client-systemd-enable-qusal-syncthing-forwarder.socket": service.enabled: - - name: qubes-syncthing.service + - name: qusal-syncthing-forwarder.socket + +"{{ slsdotpath }}-server-systemd": + file.recurse: + - name: /usr/lib/systemd/system/ + - source: salt://{{ slsdotpath }}/files/server/systemd/ + - dir_mode: '0755' + - file_mode: '0644' + - user: root + - group: root + - makedirs: True + +"{{ slsdotpath }}-unmask-syncthing@user": + service.unmasked: + - name: syncthing@user.service + - runtime: False + +"{{ slsdotpath }}-enable-syncthing@user": + service.enabled: + - name: syncthing@user.service + {% endif -%} diff --git a/salt/sys-syncthing/install.sls b/salt/sys-syncthing/install.sls index 5f8d4d2..e4a017b 100644 --- a/salt/sys-syncthing/install.sls +++ b/salt/sys-syncthing/install.sls @@ -26,10 +26,27 @@ include: - qubes-core-agent-networking - syncthing - jq - - qubes-core-agent-thunar - - thunar - man-db +"{{ slsdotpath }}-systemd": + file.recurse: + - name: /usr/lib/systemd/system/ + - source: salt://{{ slsdotpath }}/files/server/systemd/ + - dir_mode: '0755' + - file_mode: '0644' + - user: root + - group: root + - makedirs: True + +"{{ slsdotpath }}-unmask-syncthing@user": + service.unmasked: + - name: syncthing@user.service + - runtime: False + +"{{ slsdotpath }}-enable-syncthing@user": + service.enabled: + - name: syncthing@user.service + "{{ slsdotpath }}-rpc": file.symlink: - name: /etc/qubes-rpc/qusal.Syncthing @@ -48,11 +65,6 @@ include: - force: True - makedirs: True -"{{ slsdotpath }}-mask-syncthing": - service.masked: - - name: syncthing@user.service - - runtime: False - "{{ slsdotpath }}-desktop-application-browser": file.managed: - name: /usr/share/applications/syncthing-browser.desktop diff --git a/salt/sys-usb/README.md b/salt/sys-usb/README.md index 5ecb0e2..f095ffc 100644 --- a/salt/sys-usb/README.md +++ b/salt/sys-usb/README.md @@ -66,21 +66,21 @@ qvm-prefs QUBE audiovm disp-sys-usb Install the proxy on the client template: ```sh -sudo qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-usb.install-client-proxy +sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-usb.install-client-proxy ``` #### Client cryptsetup installation If the client requires decrypting a device, install on the client template: ```sh -sudo qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-usb.install-client-cryptsetup +sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-usb.install-client-cryptsetup ``` #### Client CTAP installation If the client requires a CTAP device, install on the client template: ```sh -sudo qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-usb.install-client-fido +sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-usb.install-client-fido ``` And enable the CTAP Proxy service for the client qubes: ```sh