refactor: prefer systemd sockets over socat

- Document preferred method for socket use depending on use case; - Fix Github web-flow key; - Standardize naming of services; - Use sys-ssh in ansible formula; - Start services conditionally with Qubes Service and evaluated by systemd ConditionPathExists= instead of installing on a per qube basis with rc.local scripts; - Change Qusal services to "qusal-" prefix instead of "qubes-" prefix. Fixes: https://github.com/ben-grande/qusal/issues/80 Fixes: https://github.com/ben-grande/qusal/issues/79
2025-09-19 20:14:44 -04:00 · 2024-06-25 22:16:26 +02:00 · 2024-06-25 22:16:26 +02:00 · 9c280689d8
commit 9c280689d8
parent 3880a35cfa
106 changed files with 606 additions and 567 deletions
--- a/salt/sys-ssh/README.md
+++ b/salt/sys-ssh/README.md
@ -39,7 +39,6 @@ sudo qubesctl top.disable sys-ssh
 ```sh
 sudo qubesctl state.apply sys-ssh.create
 sudo qubesctl --skip-dom0 --targets=tpl-sys-ssh state.apply sys-ssh.install
-sudo qubesctl --skip-dom0 --targets=sys-ssh state.apply sys-ssh.configure
 ```
 <!-- pkg:end:post-install -->

@ -50,7 +49,7 @@ sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-ssh.install-client

 The client qube requires the SSH forwarder service to be enabled:
 ```
-qvm-features QUBE service.ssh-setup 1
+qvm-features QUBE service.ssh-client 1
 ```

 ## Access Control
--- a/salt/sys-ssh/configure.sls
+++ b/salt/sys-ssh/configure.sls
@ -1,30 +0,0 @@
-{#
-SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
-SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
-
-SPDX-License-Identifier: AGPL-3.0-or-later
-#}
-
-{% if grains['nodename'] != 'dom0' -%}
-
-include:
-  - dev.home-cleanup
-
-"{{ slsdotpath }}-start-ssh-on-boot":
-  file.managed:
-    - name: /rw/config/rc.local.d/50-sys-ssh.rc
-    - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-ssh.rc
-    - mode: '0755'
-    - user: root
-    - group: root
-    - makedirs: True
-
-"{{ slsdotpath }}-creates-home-ssh-dir":
-  file.directory:
-    - name: /home/user/.ssh
-    - mode: '0700'
-    - user: user
-    - group: user
-    - makedirs: True
-
-{% endif -%}
--- a/salt/sys-ssh/configure.top
+++ b/salt/sys-ssh/configure.top
@ -1,9 +0,0 @@
-{#
-SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
-
-SPDX-License-Identifier: AGPL-3.0-or-later
-#}
-
-base:
-  'sys-ssh':
-    - sys-ssh.configure
--- a/salt/sys-ssh/create.sls
+++ b/salt/sys-ssh/create.sls
@ -41,6 +41,7 @@ prefs:
 features:
 - enable:
  - servicevm
+  - service.ssh-server
 - disable:
  - service.cups
  - service.cups-browsed
--- a/salt/sys-ssh/files/client/ssh_config.d/50-qusal-sys-ssh.conf
+++ b/salt/sys-ssh/files/client/ssh_config.d/50-qusal-sys-ssh.conf
@ -0,0 +1,11 @@
+# vim: ft=sshconfig
+
+# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+Host default-qubes-server
+        Hostname 127.0.0.1
+        User user
+        Port 1840
+        StrictHostKeyChecking no
--- a/salt/sys-ssh/files/client/systemd/qusal-ssh-forwarder.socket
+++ b/salt/sys-ssh/files/client/systemd/qusal-ssh-forwarder.socket
@ -3,12 +3,13 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later

 [Unit]
-Description=Forward connection to SSH over Qrexec
+Description=Forward SSH connection over Qrexec
 After=qubes-sysinit.service
-ConditionPathExists=/var/run/qubes-service/ssh-setup
+Before=qubes-qrexec-agent.service
+ConditionPathExists=/var/run/qubes-service/ssh-client

 [Socket]
-ListenStream=127.0.0.1:840
+ListenStream=127.0.0.1:1840
 BindToDevice=lo
 Accept=true

--- a/salt/sys-ssh/files/client/systemd/qusal-ssh-forwarder@.service
+++ b/salt/sys-ssh/files/client/systemd/qusal-ssh-forwarder@.service
@ -1,9 +1,9 @@
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com
+# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 [Unit]
-Description=Forward connection to SSH over Qrexec
+Description=Forward SSH connection over Qrexec

 [Service]
 ExecStart=/usr/bin/qrexec-client-vm @default qusal.Ssh
--- a/salt/sys-ssh/files/server/rc.local.d/50-sys-ssh.rc
+++ b/salt/sys-ssh/files/server/rc.local.d/50-sys-ssh.rc
@ -1,8 +0,0 @@
-#!/bin/sh
-# vim: ft=sh
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-systemctl unmask ssh
-systemctl --no-block restart ssh
--- a/salt/sys-ssh/files/server/sshd_config.d/50-qusal-sys-ssh.conf
+++ b/salt/sys-ssh/files/server/sshd_config.d/50-qusal-sys-ssh.conf
--- a/salt/sys-ssh/files/server/systemd/ssh.service.d/50_qusal.conf
+++ b/salt/sys-ssh/files/server/systemd/ssh.service.d/50_qusal.conf
@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# vim: ft=systemd
+[Unit]
+ConditionPathExists=/var/run/qubes-service/ssh-server
+After=qubes-sysinit.service
+Before=qubes-qrexec-agent.service
--- a/salt/sys-ssh/init.top
+++ b/salt/sys-ssh/init.top
@ -10,5 +10,3 @@ base:
    - sys-ssh.create
  'tpl-sys-ssh':
    - sys-ssh.install
-  'sys-ssh':
-    - sys-ssh.configure
--- a/salt/sys-ssh/install-client.sls
+++ b/salt/sys-ssh/install-client.sls
@ -28,6 +28,15 @@ include:
    - skip_suggestions: True
    - pkgs: {{ pkg.pkg|sequence|yaml }}

+"{{ slsdotpath }}-ssh-config":
+  file.managed:
+    - name: /etc/ssh/ssh_config.d/50-qusal-{{ slsdotpath }}.conf
+    - source: salt://{{ slsdotpath }}/files/client/ssh_config.d/50-qusal-{{ slsdotpath }}.conf
+    - mode: '0644'
+    - user: root
+    - group: root
+    - makedirs: True
+
 "{{ slsdotpath }}-client-systemd":
  file.recurse:
    - name: /usr/lib/systemd/system/
@ -38,8 +47,8 @@ include:
    - group: root
    - makedirs: True

-"{{ slsdotpath }}-client-systemd-start-qubes-ssh-forwarder.socket":
+"{{ slsdotpath }}-client-systemd-start-qusal-ssh-forwarder.socket":
  service.enabled:
-    - name: qubes-ssh-forwarder.socket
+    - name: qusal-ssh-forwarder.socket

 {% endif -%}
--- a/salt/sys-ssh/install.sls
+++ b/salt/sys-ssh/install.sls
@ -20,16 +20,21 @@ include:
      - openssh-server
      - man-db

-"{{ slsdotpath }}-stop-ssh":
-  service.dead:
+"{{ slsdotpath }}-ssh-systemd-service":
+  file.managed:
+    - name: /usr/lib/systemd/system/ssh.service.d/50_qusal.conf
+    - source: salt://{{ slsdotpath }}/files/server/systemd/ssh.service.d/50_qusal.conf
+    - mode: '0644'
+    - user: root
+    - group: root
+    - makedirs: True
+
+"{{ slsdotpath }}-unmask-ssh":
+  service.unmasked:
    - name: ssh

-"{{ slsdotpath }}-disable-ssh":
-  service.disabled:
-    - name: ssh
-
-"{{ slsdotpath }}-mask-ssh":
-  service.masked:
+"{{ slsdotpath }}-enable-ssh":
+  service.enabled:
    - name: ssh

 "{{ slsdotpath }}-rpc":
@ -52,9 +57,9 @@ include:

 "{{ slsdotpath }}-sshd-config":
  file.managed:
-    - name: /etc/ssh/sshd_config.d/{{ slsdotpath }}.conf
-    - source: salt://{{ slsdotpath }}/files/server/sshd_config.d/{{ slsdotpath }}.conf
-    - mode: '0755'
+    - name: /etc/ssh/sshd_config.d/50-qusal-{{ slsdotpath }}.conf
+    - source: salt://{{ slsdotpath }}/files/server/sshd_config.d/50-qusal-{{ slsdotpath }}.conf
+    - mode: '0644'
    - user: root
    - group: root
    - makedirs: True