Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2024-10-01 02:35:49 -04:00
Code Issues Packages Projects Releases Wiki Activity

refactor: prefer systemd sockets over socat

Browse Source 
- Document preferred method for socket use depending on use case;
- Fix Github web-flow key;
- Standardize naming of services;
- Use sys-ssh in ansible formula;
- Start services conditionally with Qubes Service and evaluated by
  systemd ConditionPathExists= instead of installing on a per qube basis
  with rc.local scripts;
- Change Qusal services to "qusal-" prefix instead of "qubes-" prefix.

Fixes: https://github.com/ben-grande/qusal/issues/80
Fixes: https://github.com/ben-grande/qusal/issues/79
This commit is contained in:
Ben Grande 2024-06-25 22:16:26 +02:00
parent 3880a35cfa
commit 9c280689d8
No known key found for this signature in database
GPG Key ID: 00C64E14F51F9E56
106 changed files with 606 additions and 567 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
docs/DESIGN.md
View File

@ -14,8 +14,10 @@ Qusal design document.
* [Qube naming](#qube-naming)
* [Qube label](#qube-label)
* [Qube menu](#qube-menu)
* [Qube features](#qube-features)
* [Qube connections](#qube-connections)
* [Qrexec call and policy](#qrexec-call-and-policy)
* [Qrexec socket services](#qrexec-socket-services)
## Goal
@ -167,6 +169,21 @@ building software is risky, the user trying to open a file manager on a qube
that doesn't have one is less risky but for the user the behavior is
unexpected.
### Qube features
Control daemons using Qubes Services. It is much better to control services
this way as we can declare during the creation of qubes instead of having to
add a state to run a script during boot to unmask and start a specific
service. The method below is most of the times combined with `systemd.unit`
`ConditionPathExists=` to enable the service conditionally.
- Server's service name must match the syntax: `service-server` (example:
`rsync-server`, `syncthing-server`);
- Client's service name must match the syntax: `service-client` (example:
`ssh-client`;
- Local program's service name must match the syntax: `service` (example:
`docker`, `podman`.
### Qube connections
There are several ways a qube can connect to another, either directly with
@ -202,3 +219,40 @@ Xen or with Qrexec. If something is not required, we remove it.
`qrexec-client-vm`.
3. Target qube for client script must default to `@default`, but other targets
must be allowed via parameters.
### Qrexec socket services
Native Qrexec TCP sockets `/dev/tcp` using `qubes.ConnectTCP` are very handy
to connect to a port of a qube. The downside of using `qubes.ConnectTCP`
directly is the user doesn't want or need to know in which port the client
wants to connect in the server. We will refer to Unix Domains Sockets as
`UDS`.
Using `qusal.Service`, such as `qusal.Rsync`, `qusal.Syncthing`, `qusal.Ssh`
has the following advantages:
- Usability: User recognizes the call per service name;
- Extensibility: Allows extending functionality for arguments added in the
future, no need to migrate user policy from `qubes.ConnectTCP`;
is not necessary;
Rules for server RPC service:
- Symlink `qubes.ConnectTCP` to `qusal.Service` if connecting to a local port;
- Use `qubes.ConnectTCP` directly when the user won't manage the policy for
the wanted call, such as `sys-syncthing-browser`, where it happens that only
this qube will access the admin interface of `sys-syncthing`;
- Use `socat` to connect to remote hosts or UDS with path defined by the
service argument.
Rules for client RPC call:
- Use `systemd.socket` units, it does not require `socat`, it is not
restricted to the use of `qubes.ConnectTCP` called by `qvm-connect-tcp`, the
service can be properly logged and status verified by a service manager
instead of forking socat to the background with a `rc.local` script and
finally, can be controlled by Qubes Services to enable or disable the unit
with `ConditionPathExists=` instead of doing if-else statements in
`rc.local`;
- Use of `socat` and `qvm-connect-tcp` is permitted for UDS and for
instructional use as it is very short.

12
qubesbuilder/qusal.yml
View File

@ -69,12 +69,10 @@ stages:
gpg-client: gpg
sign-key:
rpm:
- DF3834875B65758713D92E91A475969DE4E371E3
rpm: DF3834875B65758713D92E91A475969DE4E371E3
#repository-publish:
# components: current-testing
repository-publish:
components: current-testing
#repository-upload-remote-host:
# rpm: user@yum.qubes-os.org:/some/path
# deb: user@deb.qubes-os.org:/another/path
# repository-upload-remote-host:
# rpm: user@yum.example.org:/some/path

7
rpm_spec/qusal-ansible.spec
View File

@ -30,7 +30,9 @@ BuildArch: noarch
Requires: qubes-mgmt-salt
Requires: qubes-mgmt-salt-dom0
Requires: qusal-dotfiles
Requires: qusal-ssh
Requires: qusal-sys-ssh
Requires: qusal-utils
@ -73,8 +75,6 @@ if test "$1" = "1"; then
## Install
qubesctl state.apply ansible.create
qubesctl --skip-dom0 --targets=tpl-ansible state.apply ansible.install
qubesctl --skip-dom0 --targets=ansible state.apply ansible.configure,zsh.touch-zshrc
qubesctl --skip-dom0 --targets=ansible-minion state.apply ansible.configure-minion,zsh.touch-zshrc
elif test "$1" = "2"; then
## Upgrade
true
@ -107,6 +107,9 @@ fi
%dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
%changelog
* Tue Jun 25 2024 Ben Grande <ben.grande.b@gmail.com> - 3880a35
- fix: ansible references legacy zsh state
* Mon Jun 24 2024 Ben Grande <ben.grande.b@gmail.com> - ab1438f
- fix: change Launchpad repository to HTTPS domain

1
rpm_spec/qusal-docker.spec
View File

@ -72,7 +72,6 @@ cp -rv salt/%{project} %{buildroot}/srv/salt/qusal/%{name}
if test "$1" = "1"; then
## Install
qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply docker.install
qubesctl --skip-dom0 --targets=qubes-builder state.apply docker.configure
elif test "$1" = "2"; then
## Upgrade
true

3
rpm_spec/qusal-sys-net.spec
View File

@ -114,6 +114,9 @@ fi
%dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
%changelog
* Tue Jun 25 2024 Ben Grande <ben.grande.b@gmail.com> - 4facf45
- feat: use native TCP socket with Qrexec
* Fri Jun 21 2024 Ben Grande <ben.grande.b@gmail.com> - c84dfea
- fix: generate RPM Specs for Qubes Builder V2

3
rpm_spec/qusal-sys-print.spec
View File

@ -111,6 +111,9 @@ fi
%dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
%changelog
* Tue Jun 25 2024 Ben Grande <ben.grande.b@gmail.com> - 4facf45
- feat: use native TCP socket with Qrexec
* Fri Jun 21 2024 Ben Grande <ben.grande.b@gmail.com> - c84dfea
- fix: generate RPM Specs for Qubes Builder V2

3
rpm_spec/qusal-sys-rsync.spec
View File

@ -114,6 +114,9 @@ fi
%dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
%changelog
* Tue Jun 25 2024 Ben Grande <ben.grande.b@gmail.com> - 4facf45
- feat: use native TCP socket with Qrexec
* Fri Jun 21 2024 Ben Grande <ben.grande.b@gmail.com> - c84dfea
- fix: generate RPM Specs for Qubes Builder V2

5
rpm_spec/qusal-sys-ssh.spec
View File

@ -30,7 +30,6 @@ BuildArch: noarch
Requires: qubes-mgmt-salt
Requires: qubes-mgmt-salt-dom0
Requires: qusal-dev
Requires: qusal-sys-ssh-agent
Requires: qusal-utils
@ -83,7 +82,6 @@ if test "$1" = "1"; then
## Install
qubesctl state.apply sys-ssh.create
qubesctl --skip-dom0 --targets=tpl-sys-ssh state.apply sys-ssh.install
qubesctl --skip-dom0 --targets=sys-ssh state.apply sys-ssh.configure
elif test "$1" = "2"; then
## Upgrade
true
@ -116,6 +114,9 @@ fi
%dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
%changelog
* Tue Jun 25 2024 Ben Grande <ben.grande.b@gmail.com> - 4facf45
- feat: use native TCP socket with Qrexec
* Mon Jun 24 2024 Ben Grande <ben.grande.b@gmail.com> - 22e2a2e
- chore: add copyright to systemd services

4
rpm_spec/qusal-sys-syncthing.spec
View File

@ -96,7 +96,6 @@ if test "$1" = "0"; then
## Uninstall
qvm-port-forward -a del -q sys-syncthing -n tcp -p 22000
qvm-port-forward -a del -q sys-syncthing -n udp -p 22000
qubesctl --skip-dom0 --targets=sys-syncthing state.apply sys-syncthing.cancel
qubesctl state.apply sys-syncthing.clean
elif test "$1" = "1"; then
## Upgrade
@ -121,6 +120,9 @@ fi
%dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
%changelog
* Tue Jun 25 2024 Ben Grande <ben.grande.b@gmail.com> - 4facf45
- feat: use native TCP socket with Qrexec
* Mon Jun 24 2024 Ben Grande <ben.grande.b@gmail.com> - 22e2a2e
- chore: add copyright to systemd services

19
salt/ansible/README.md
View File

@ -26,28 +26,13 @@ sudo qubesctl top.disable ansible
```sh
sudo qubesctl state.apply ansible.create
sudo qubesctl --skip-dom0 --targets=tpl-ansible state.apply ansible.install
sudo qubesctl --skip-dom0 --targets=ansible state.apply ansible.configure
sudo qubesctl --skip-dom0 --targets=ansible-minion state.apply ansible.configure-minion
```
<!-- pkg:end:post-install -->
## Usage
Configure the control node `ansible`:
```sh
ssh-keygen -t ed25519 -N "" -f ~/.ssh/id_ansible
qvm-copy ~/.ssh/id_ansible.pub
```
Select `ansible-minion` as the target qube for the copy operation.
Configure the minion `ansible-minion`:
```sh
mkdir -m 0700 ~/.ssh
cat ~/QubesIncoming/ansible/id_ansible.pub >> ~/.ssh/authorized_keys
```
From the control node `ansible`, test connection to the minion
From the control node `ansible`, test connection to the managed node
`ansible-minion`:
```sh
ssh minion
ssh -p 1840 user@127.0.0.1
```

30
salt/ansible/configure-minion.sls
View File

@ -1,30 +0,0 @@
{#
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
#}
{% if grains['nodename'] != 'dom0' -%}
include:
- utils.tools.zsh.touch-zshrc
"{{ slsdotpath }}-minion-start-sshd":
file.managed:
- name: /rw/config/rc.local.d/50-ansible.rc
- source: salt://{{ slsdotpath }}/files/client/rc.local.d/50-ansible.rc
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-minion-ssh-authorized_keys":
file.touch:
- name: /home/user/.ssh/authorized_keys
- dir_mode: '0700'
- file_mode: '0600'
- user: user
- group: user
- makedirs: True
{% endif -%}

9
salt/ansible/configure-minion.top
View File

@ -1,9 +0,0 @@
{#
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
#}
base:
'ansible':
- ansible.configure-minion

31
salt/ansible/configure.sls
View File

@ -1,31 +0,0 @@
{#
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
#}
{% if grains['nodename'] != 'dom0' -%}
include:
- utils.tools.zsh.touch-zshrc
"{{ slsdotpath }}-autostart-ssh-over-qrexec":
file.managed:
- name: /rw/config/rc.local.d/50-ansible.rc
- source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-ansible.rc
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-ssh-config":
file.managed:
- name: /home/user/.ssh/config
- source: salt://{{ slsdotpath }}/files/server/ssh-config
- file_mode: '0600'
- dir_mode: '0700'
- user: root
- group: root
- makedirs: True
{% endif -%}

9
salt/ansible/configure.top
View File

@ -1,9 +0,0 @@
{#
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
#}
base:
'ansible':
- ansible.configure

5
salt/ansible/create.sls
View File

@ -46,6 +46,8 @@ prefs:
features:
- set:
- menu-items: "qubes-run-terminal.desktop qubes-start.desktop"
- enable:
- service.ssh-client
- disable:
- service.cups
- service.cups-browsed
@ -73,6 +75,9 @@ prefs:
features:
- set:
- menu-items: "qubes-run-terminal.desktop qubes-start.desktop"
- enable:
- servicevm
- service.ssh-server
- disable:
- service.cups
- service.cups-browsed

2
salt/ansible/files/admin/policy/default.policy
View File

@ -2,5 +2,5 @@
#
# SPDX-License-Identifier: AGPL-3.0-or-later
qubes.ConnectTCP +22 {{ sls_path }} @default allow target={{ sls_path }}-minion
qusal.Ssh * {{ sls_path }} @default allow target={{ sls_path }}-minion
## vim:ft=qrexecpolicy

7
salt/ansible/files/client/99-sshd-ansible.conf
View File

@ -1,7 +0,0 @@
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
PubkeyAuthentication yes
# vim: ft=sshdconfig

8
salt/ansible/files/client/rc.local.d/50-ansible.rc
View File

@ -1,8 +0,0 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
systemctl unmask ssh
systemctl --no-block start ssh

12
salt/ansible/files/server/99-ssh-ansible.conf
View File

@ -1,12 +0,0 @@
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
Host minion ansible-minion
Hostname 127.0.0.1
Port 22000
User user
IdentityFile ~/.ssh/id_ansible.pub
PreferredAuthentications publickey
# vim: ft=sshconfig

7
salt/ansible/files/server/rc.local.d/50-ansible.rc
View File

@ -1,7 +0,0 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
qvm-connect-tcp 22000:@default:22

4
salt/ansible/init.top
View File

@ -10,7 +10,3 @@ base:
- ansible.create
'tpl-ansible':
- ansible.install
'ansible':
- ansible.configure
'ansible-minion':
- ansible.configure-minion

22
salt/ansible/install.sls
View File

@ -9,7 +9,10 @@ SPDX-License-Identifier: AGPL-3.0-or-later
include:
- .install-repo
- utils.tools.common.update
- utils.tools.zsh
- dotfiles.copy-sh
- dotfiles.copy-x11
- sys-ssh.install
- sys-ssh.install-client
- ssh.install
"{{ slsdotpath }}-installed":
@ -26,7 +29,6 @@ include:
- ansible-lint
- python3-argcomplete
- python3-jmespath
- openssh-server
- qubes-core-agent-passwordless-root
- bash-completion
- man-db
@ -48,20 +50,4 @@ include:
- skip_suggestions: True
- pkgs: {{ pkg.pkg|sequence|yaml }}
"{{ slsdotpath }}-ssh-config":
file.managed:
- name: /etc/ssh/ssh_config.d/99-ssh-ansible.conf
- source: salt://{{ slsdotpath }}/files/server/99-ssh-ansible.conf
- mode: '0644'
- user: root
- group: root
"{{ slsdotpath }}-sshd-config":
file.managed:
- name: /etc/ssh/sshd_config.d/99-sshd-ansible.conf
- source: salt://{{ slsdotpath }}/files/client/99-sshd-ansible.conf
- mode: '0644'
- user: root
- group: root
{% endif -%}

11
salt/docker/README.md
View File

@ -14,10 +14,12 @@ Setup docker in Qubes OS with the Docker repository.
## Installation
TODO: remove installation steps or provide a docker qube.
- Top
```sh
sudo qubesctl top.enable docker
sudo qubesctl --targets=tpl-qubes-builder,qubes-builder state.apply
sudo qubesctl --targets=tpl-qubes-builder state.apply
sudo qubesctl top.disable docker
```
@ -25,10 +27,15 @@ sudo qubesctl top.disable docker
<!-- pkg:begin:post-install -->
```sh
sudo qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply docker.install
sudo qubesctl --skip-dom0 --targets=qubes-builder state.apply docker.configure
```
<!-- pkg:end:post-install -->
Enable the Docker and/or Podman service for qubes that will use it:
```sh
qvm-features QUBE service.docker 1
qvm-features QUBE service.podman 1
```
## Usage
The only qubes specific configuration to docker is changing its [root

18
salt/docker/configure.sls
View File

@ -1,18 +0,0 @@
{#
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
#}
{% if grains['nodename'] != 'dom0' -%}
"{{ slsdotpath }}-rc.local":
file.managed:
- name: /rw/config/rc.local.d/50-docker.rc
- source: salt://{{ slsdotpath }}/files/client/rc.local.d/50-docker.rc
- mode: '0755'
- user: root
- group: root
- makedirs: True
{% endif -%}

9
salt/docker/configure.top
View File

@ -1,9 +0,0 @@
{#
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
#}
base:
'qubes-builder':
- docker.configure

9
salt/docker/files/client/rc.local.d/50-docker.rc
View File

@ -1,9 +0,0 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
usermod -aG docker user
systemctl unmask docker
systemctl --no-block restart docker

8
salt/docker/files/client/systemd/docker.service.d/50_qusal.conf Normal file
View File

@ -0,0 +1,8 @@
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
# vim: ft=systemd
[Unit]
ConditionPathExists=/var/run/qubes-service/docker
After=qubes-sysinit.service
Before=qubes-qrexec-agent.service

8
salt/docker/files/client/systemd/podman.service.d/50_qusal.conf Normal file
View File

@ -0,0 +1,8 @@
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
# vim: ft=systemd
[Unit]
ConditionPathExists=/var/run/qubes-service/podman
After=qubes-sysinit.service
Before=qubes-qrexec-agent.service

2
salt/docker/init.top
View File

@ -7,5 +7,3 @@ SPDX-License-Identifier: AGPL-3.0-or-later
base:
'tpl-qubes-builder':
- docker.install
'qubes-builder':
- docker.configure

18
salt/docker/install.sls
View File

@ -52,4 +52,22 @@ include:
- addusers:
- user
"{{ slsdotpath }}-systemd":
file.recurse:
- name: /usr/lib/systemd/system/
- source: salt://{{ slsdotpath }}/files/client/systemd/
- dir_mode: '0755'
- file_mode: '0644'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-unmask-docker":
service.unmasked:
- name: docker
"{{ slsdotpath }}-enable-docker":
service.enabled:
- name: docker
{% endif -%}

2
salt/electrum/README.md
View File

@ -88,7 +88,7 @@ socat TCP4-LISTEN:50002,reuseaddr,fork,bind=127.0.0.1 TCP:192.168.2.10:50002 &
In the qube `electrum`, add the `qvm-connect-tcp` command to the file
`/rw/config/rc.local`:
```sh
qvm-connnect-tcp ::50002
qvm-connect-tcp ::50002
```
In the qube `electrum`, run as the user `user` the electrum configuration

1
salt/mirage-builder/configure.sls
View File

@ -13,7 +13,6 @@ include:
- dotfiles.copy-sh
- dotfiles.copy-ssh
- dotfiles.copy-git
- docker.configure
"{{ slsdotpath }}-opam-completion-and-hooks":
file.managed:

3
salt/mirage-builder/create.sls
View File

@ -37,6 +37,9 @@ prefs:
- autostart: False
- include_in_backups: True
features:
- enable:
- service.docker
- service.podman
- disable:
- service.cups
- service.cups-browsed

56
salt/mirage-builder/files/client/keys/5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23.asc
View File

@ -6,28 +6,36 @@ SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ
7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa
buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v
yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAHNNUdpdEh1YiAod2ViLWZs
b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBiBBMBCAAW
BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEIACATWFmi2oxlBh3wAsySNCNV4IPf
DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6
9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws
+8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5
4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O
j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48=
=HXDP
-----END PGP PUBLIC KEY BLOCK----------BEGIN PGP PUBLIC KEY BLOCK-----
xsBNBFmUaEEBCACzXTDt6ZnyaVtueZASBzgnAmK13q9Urgch+sKYeIhdymjuMQta
x15OklctmrZtqre5kwPUosG3/B2/ikuPYElcHgGPL4uL5Em6S5C/oozfkYzhwRrT
SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ
7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa
buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v
yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAHNNUdpdEh1YiAod2ViLWZs
b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBiBBMBCAAW
BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEIACATWFmi2oxlBh3wAsySNCNV4IPf
DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6
9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws
+8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5
4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O
j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48=
=HXDP
b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBoBBMBCAAc
BQJZlGhBCRBK7hj4Ov3rIwIbAwUJDBJ3/wIZAQAA0O4IAJd0k8M+urETyMvTqNTj
/U6nbqyOdKE4V93uUj5G7sNTfno7wod/Qjj6Zv5KodvA93HmEdQqsmVq5YJ5KGiw
cmGCpd/GqJRPaYSY0hSUSBqYHiHLusCJkPBpQTBhcEMtfVCB2J6fVeoX2DV0K1xf
CGblrSVB0viAxUMnmL5C55RuvbYZsTu8szXhkvIR96CtWbJ8QGaEf1/KSpWz8ept
Y/omf3UPfvdOjnsxc8jVEqPNaR9xC6Q6t53rBa/XgMY6IYyesnyYnc5O6JuexUFa
VjykRFtAiYfDaMARpXOmgMm0lhoBRKb/uMUaN3CSYTmE4pZweJcUi7eWgmoQljX2
ut6ZAg0EZabFdgEQALI37i+IVAzpBCgqvQDZbSsZ0yhtMnA5myjZA+l7BvIGy4ve
s1bk6YetbBcCE8o2pQjI7N2rwyhLGhNO6ouSyhqGLEQv9fafKE4HFH0aRjP+gj1H
edhwtFoVChImhV863rWimQtTNtYB6GluBPwQqWfwmwQ2rT7ScOVZCLSHZD2gaaqW
BXOyTCZVnwt7K/gyDuE3qzDJnuahl+SSkPn5TtnZdW6sLORJJ+DjNvaUxEsmizZ4
IBzvj0QKxfS3s4F+0X5iqCMheLFeybZGtSq9Tjs6Q61l4CG8Bh6dsLemv0WFrk3G
gFQRr7XUwr1bo5xGHC/FUJSsxRHoVNJnIL/9WldNO2tGU6qlTnAYxs/fOmf2B6o5
cKXysXv7WAA8b+j5AVBMGxUSu7CLglaiCJC5DI7AAiUV7/t29rFZkam//Jbb4veC
4vvFocoVUaxrKGWK1BDldr4/WJKApJcPJF4Jtai1+oB6ak/JIjbkseHdJxcjo2B0
dKtIFoWiPAB+DFs9MRDpp0iwocJCh+ucus1rdQ54YMaI44rRphXeOIQMYCi5q2Q1
/arzkSiyPV/2VoKoAfdgskPt1xKd7WIKErmpFMHIy8jJ5IPQ1s2dUwU4alfJLJa0
pvaV2m7wBYFAmwmz0WZgFxYAYEDamn4jFoKfqsEgcixRUVE3w5VkqwSwGRbLABEB
AAG0G0dpdEh1YiA8bm9yZXBseUBnaXRodWIuY29tPokCTgQTAQoAOBYhBJaEeaGv
+SfjfRpWa7VpDu67lSGUBQJlpsV2AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
AAoJELVpDu67lSGUgy4QAKW9XAL416iKrQB2LElmxqAoenHVCswlau0xGLh5dVNN
p5f4/W6eEL8CZI7hfF3e5Gh6Me99aHgXSCK1QnxcqCJ6Oea4ZyrsNu3k6g7Um5ca
VbYFD4yIahhXDYHSw6FYM2sgFY479YvgvKRwacC2tFfChLRbHgwLJ3O1dBjmVycJ
Zpbyu+7taZ26g6KQfgcj3uuo3nz3p1ziIEpLHwtl/7joNEIIP/lJ8AKmUHPiGznN
6fxMvzN37PGMWtdvOi1rSNIMQYr1YY7jPnlLbFJwLrO/q/cGPU5HwGzlqh0a2ZqY
dnuwT3DREmgJ83H71xH+sTzZKs5oGlVTu6st7iWDvNpo2GoN01XzKa5caYglqsOC
uZ6IHlsdL50sXMtSROCi3hEWU9r1sWIm4k3pNz20y7lElD2X/MqbEMcgpawCV7lH
rm7MSrTgu6BNAF0SisbF9AKwXaBr2dwpMMyIBOFZO9mk4/c0n9q2FlGY4GkbgH2J
HqulFTwX/4yiQbh8gzCe+06FZAWITN1OQntTkkCQ+1MCZPf+bOfC08RTsOsVZIYB
2qAgw6XE0IF4a+PAtHSoYftwH2ocMY2gMuSNpQWm7m0+/j+K+RBoeUcnGNPQgszq
N60IDMqkqHjyubrm2aslfopWmPSvaQoyxwV/uztdo+UI0IV2z9gD7Sm49vMkpYp8
=uMz0
-----END PGP PUBLIC KEY BLOCK-----

1
salt/qubes-builder/configure.sls
View File

@ -13,7 +13,6 @@ include:
- dotfiles.copy-sh
- dotfiles.copy-ssh
- dotfiles.copy-x11
- docker.configure
"{{ slsdotpath }}-makedir-src":
file.directory:

6
salt/qubes-builder/create.sls
View File

@ -61,11 +61,13 @@ prefs:
- label: gray
- audiovm: ""
- memory: 400
- maxmem: 800
- maxmem: 1000
- vcpus: 1
- default_dispvm: dvm-{{ slsdotpath }}
features:
- enable:
- service.docker
- service.podman
- service.split-gpg2-client
- disable:
- service.cups
@ -113,7 +115,7 @@ features:
"{{ slsdotpath }}-shutdown-template":
qvm.shutdown:
- require:
- cmd: "{{ slsdotpath }}-install-salt-deps":
- cmd: "{{ slsdotpath }}-install-salt-deps"
- name: tpl-{{ slsdotpath }}
- flags:
- force

11
salt/qubes-builder/install-qubes-executor.sls
View File

@ -18,25 +18,26 @@ include:
- pkgs:
- qubes-core-agent-networking
- qubes-core-agent-passwordless-root
- dnf-plugins-core
- createrepo_c
- debootstrap
- devscripts
- dnf-plugins-core
- dpkg-dev
- git
- mock
- pbuilder
- which
- perl-Digest-MD5
- perl-Digest-SHA
- pykickstart
- python3-debian
- python3-pyyaml
- python3-sh
- reprepro
- rpm-build
- rpmdevtools
- wget2
- python3-debian
- reprepro
- systemd-udev
- wget2
- which
"{{ slsdotpath }}-qubes-executor-add-user-to-mock-group":
group.present:

8
salt/qubes-builder/install.sls
View File

@ -30,26 +30,24 @@ include:
## Minimal template dependencies
- qubes-core-agent-networking
- qubes-core-agent-passwordless-root
## Undocumented Infraestructure Mirrors dependencies
- python3-lxml
## Undocumented Builder dependencies
- python3-click
## Dependencies: https://github.com/QubesOS/qubes-builderv2#dependencies
- asciidoc
- createrepo_c
- devscripts
- m4
- mktorrent
- mock
- openssl
- pacman
- podman
- python3-click
- python3-docker
- python3-jinja2-cli
- python3-lxml
- python3-packaging
- python3-pathspec
- python3-podman
- python3-pyyaml
- rb_libtorrent-examples
- reprepro
- rpm
- rpm-sign

8
salt/sys-bitcoin/README.md
View File

@ -81,7 +81,7 @@ sudo qubesctl --skip-dom0 --targets=sys-bitcoin state.apply sys-bitcoin.configur
Add the tag `bitcoin-client` to the client and install in the client template:
```sh
sudo qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-bitcoin.install-client
sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-bitcoin.install-client
```
@ -212,11 +212,11 @@ In the Electrum Server qubes or any Bitcoin Client, `sys-electrumx`,
`/rw/config/rc.local`:
```sh
## RPC
qvm-connnect-tcp ::8332
qvm-connect-tcp ::8332
## P2P (ElectRS)
qvm-connnect-tcp ::8333
qvm-connect-tcp ::8333
## ZMQPubHashBlock (Fulcrum)
qvm-connnect-tcp ::8433
qvm-connect-tcp ::8433
```
Still in the Electrum Server qube, you will have to add the RPC authentication

2
salt/sys-cacher/README.md
View File

@ -89,7 +89,7 @@ The report page is available from `sys-cacher` and `sys-cacher-browser` at
security wise, every client has administrative access to the cacher qube. You
should add the following to the end of `sys-cacher` rc.local:
```sh
echo "AdminAuth: username:password" | tee /etc/qubes-apt-cacher-ng/zzz_security.conf
echo "AdminAuth: username:password" | tee /etc/qusal-apt-cacher-ng/zzz_security.conf
```
Where username and password are HTTP Auth strings.

10
salt/sys-cacher/configure-browser.sls
View File

@ -18,6 +18,16 @@ include:
- group: root
- makedirs: True
"{{ slsdotpath }}-browser-systemd-services":
file.recurse:
- name: /rw/config/systemd/
- source: salt://{{ slsdotpath }}/files/browser/systemd/
- dir_mode: '0755'
- file_mode: '0644'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-browser-desktop-application":
file.managed:
- name: /home/user/.local/share/applications/cacher-browser.desktop

4
salt/sys-cacher/create.sls
View File

@ -57,7 +57,7 @@ features:
- enable:
- servicevm
- service.crond
- service.apt-cacher-ng
- service.acng-server
- disable:
- service.cups
- service.cups-browsed
@ -87,6 +87,8 @@ prefs:
- autostart: False
- include_in_backups: False
features:
- enable:
- service.acng-browser
- disable:
- service.cups
- service.cups-browsed

6
salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc
View File

@ -1,7 +1,9 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
qvm-connect-tcp 8082:@default:8082
cp -r /rw/config/systemd/qusal-acng-browser-forwarder* /usr/lib/systemd/system/
systemctl daemon-reload
systemctl --no-block restart qusal-acng-browser-forwarder.socket

17
salt/sys-cacher/files/browser/systemd/qusal-acng-browser-forwarder.socket Normal file
View File

@ -0,0 +1,17 @@
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
#
# SPDX-License-Identifier: AGPL-3.0-or-later
[Unit]
Description=Forward ACNG Admin Web Panel connection over Qrexec
After=qubes-sysinit.service
Before=qubes-qrexec-agent.service
ConditionPathExists=/var/run/qubes-service/acng-browser
[Socket]
ListenStream=127.0.0.1:8082
BindToDevice=lo
Accept=true
[Install]
WantedBy=multi-user.target

11
salt/sys-cacher/files/browser/systemd/qusal-acng-browser-forwarder@.service Normal file
View File

@ -0,0 +1,11 @@
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
#
# SPDX-License-Identifier: AGPL-3.0-or-later
[Unit]
Description=Forward ACNG Admin Web Panel connection over Qrexec
[Service]
ExecStart=/usr/bin/qrexec-client-vm @default qubes.ConnectTCP+8082
StandardInput=socket
StandardOutput=inherit

0
salt/sys-cacher/files/client/systemd/qubes-apt-cacher-ng-repo.service → salt/sys-cacher/files/client/systemd/qusal-apt-cacher-ng-repo.service
View File

4
salt/sys-cacher/files/server/systemd/apt-cacher-ng.service.d/50_qusal.conf
View File

@ -3,11 +3,11 @@
# SPDX-License-Identifier: AGPL-3.0-or-later
# vim: ft=systemd
[Unit]
ConditionPathExists=/var/run/qubes-service/apt-cacher-ng
ConditionPathExists=/var/run/qubes-service/acng-server
After=qubes-sysinit.service
Before=qubes-qrexec-agent.service
[Service]
ExecStartPre=chown -R apt-cacher-ng:apt-cacher-ng /var/log/apt-cacher-ng /var/cache/apt-cacher-ng
ExecStart=
ExecStart=/usr/sbin/apt-cacher-ng -c "/etc/qubes-apt-cacher-ng" ForeGround=1
ExecStart=/usr/sbin/apt-cacher-ng -c "/etc/qusal-apt-cacher-ng" ForeGround=1

8
salt/sys-cacher/install-client.sls
View File

@ -23,13 +23,13 @@ SPDX-License-Identifier: AGPL-3.0-or-later
"{{ slsdotpath }}-install-client-systemd":
file.managed:
- name: /usr/lib/systemd/system/qubes-apt-cacher-ng-repo.service
- source: salt://{{ slsdotpath }}/files/client/systemd/qubes-apt-cacher-ng-repo.service
- name: /usr/lib/systemd/system/qusal-apt-cacher-ng-repo.service
- source: salt://{{ slsdotpath }}/files/client/systemd/qusal-apt-cacher-ng-repo.service
- mode: "0644"
- group: root
- user: root
- makedirs: True
"{{ slsdotpath }}-install-client-systemd-start-qubes-apt-cacher-ng-repo.service":
"{{ slsdotpath }}-install-client-systemd-start-qusal-apt-cacher-ng-repo.service":
service.enabled:
- name: qubes-apt-cacher-ng-repo.service
- name: qusal-apt-cacher-ng-repo.service

19
salt/sys-cacher/install.sls
View File

@ -37,25 +37,14 @@ include:
service.enabled:
- name: apt-cacher-ng
## TODO: legacy: remove after some weeks for user to have time to upgrade
"{{ slsdotpath }}-mask-qubes-apt-cacher-ng":
service.masked:
- name: qubes-apt-cacher-ng
- runtime: False
## TODO: legacy: remove after some weeks for user to have time to upgrade
"{{ slsdotpath }}-disable-qubes-apt-cacher-ng":
service.disabled:
- name: qubes-apt-cacher-ng
"{{ slsdotpath }}-create-qubes-cacher-config-dir":
file.directory:
- name: /etc/qubes-apt-cacher-ng
- name: /etc/qusal-apt-cacher-ng
- mode: '0755'
"{{ slsdotpath }}-copy-package-config-to-qubes-cacher-config":
cmd.run:
- name: cp -rp /etc/apt-cacher-ng/* /etc/qubes-apt-cacher-ng
- name: cp -rp /etc/apt-cacher-ng/* /etc/qusal-apt-cacher-ng
"{{ slsdotpath }}-systemd-service":
file.managed:
@ -68,12 +57,12 @@ include:
"{{ slsdotpath }}-update-deb_mirrors.gz":
cmd.run:
- name: cp /usr/lib/apt-cacher-ng/deb_mirrors.gz /etc/qubes-apt-cacher-ng/deb_mirrors.gz
- name: cp /usr/lib/apt-cacher-ng/deb_mirrors.gz /etc/qusal-apt-cacher-ng/deb_mirrors.gz
- runas: root
"{{ slsdotpath }}-update-conf":
file.recurse:
- name: /etc/qubes-apt-cacher-ng/
- name: /etc/qusal-apt-cacher-ng/
- source: salt://{{ slsdotpath }}/files/server/conf/
- file_mode: "0644"
- group: root

2
salt/sys-cacher/uninstall-client.sls
View File

@ -27,4 +27,4 @@ SPDX-License-Identifier: AGPL-3.0-or-later
"{{ slsdotpath }}-uninstall-client-systemd-service":
file.absent:
- name: /usr/lib/systemd/system/qubes-apt-cacher-ng-repo.service
- name: /usr/lib/systemd/system/qusal-apt-cacher-ng-repo.service

1
salt/sys-git/files/server/rpc/qusal.GitInit
View File

@ -15,6 +15,7 @@ if ! command -v git >/dev/null; then
die "Command not found: git"
fi
## TODO: subdirectory? dir+repo
untrusted_repo="${QREXEC_SERVICE_ARGUMENT}"
if test -z "${untrusted_repo}"; then

12
salt/sys-pihole/configure-browser.sls
View File

@ -7,7 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
{% if grains['nodename'] != 'dom0' %}
"{{ slsdotpath }}-browser-auto-tcp-connect":
"{{ slsdotpath }}-browser-rc.local":
file.managed:
- name: /rw/config/rc.local.d/50-sys-pihole.rc
- source: salt://{{ slsdotpath }}/files/browser/rc.local.d/50-sys-pihole.rc
@ -16,6 +16,16 @@ SPDX-License-Identifier: AGPL-3.0-or-later
- group: root
- makedirs: True
"{{ slsdotpath }}-browser-systemd-services":
file.recurse:
- name: /rw/config/systemd/
- source: salt://{{ slsdotpath }}/files/browser/systemd/
- dir_mode: '0755'
- file_mode: '0644'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-browser-desktop-application":
file.managed:
- name: /home/user/.local/share/applications/pihole-browser.desktop

2
salt/sys-pihole/create.sls
View File

@ -78,6 +78,8 @@ prefs:
- maxmem: 600
- include_in_backups: False
features:
- enable:
- service.http-client
- disable:
- service.cups
- service.cups-browsed

6
salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc
View File

@ -1,7 +1,9 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
qvm-connect-tcp 80:@default:80
cp -r /rw/config/systemd/qubes-http-forwarder* /usr/lib/systemd/system/
systemctl daemon-reload
systemctl --no-block restart qubes-http-forwarder.socket

7
salt/sys-ssh/files/client/systemd/qubes-ssh-forwarder.socket → salt/sys-pihole/files/browser/systemd/qubes-http-forwarder.socket
View File

@ -3,12 +3,13 @@
# SPDX-License-Identifier: AGPL-3.0-or-later
[Unit]
Description=Forward connection to SSH over Qrexec
Description=Forward HTTP connection over Qrexec
After=qubes-sysinit.service
ConditionPathExists=/var/run/qubes-service/ssh-setup
Before=qubes-qrexec-agent.service
ConditionPathExists=/var/run/qubes-service/http-client
[Socket]
ListenStream=127.0.0.1:840
ListenStream=127.0.0.1:80
BindToDevice=lo
Accept=true

11
salt/sys-pihole/files/browser/systemd/qubes-http-forwarder@.service Normal file
View File

@ -0,0 +1,11 @@
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
#
# SPDX-License-Identifier: AGPL-3.0-or-later
[Unit]
Description=Forward HTTP connection over Qrexec
[Service]
ExecStart=/usr/bin/qrexec-client-vm @default qubes.ConnectTCP+80
StandardInput=socket
StandardOutput=inherit

56
salt/sys-pihole/files/server/keys/5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23.asc
View File

@ -6,28 +6,36 @@ SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ
7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa
buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v
yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAHNNUdpdEh1YiAod2ViLWZs
b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBiBBMBCAAW
BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEIACATWFmi2oxlBh3wAsySNCNV4IPf
DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6
9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws
+8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5
4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O
j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48=
=HXDP
-----END PGP PUBLIC KEY BLOCK----------BEGIN PGP PUBLIC KEY BLOCK-----
xsBNBFmUaEEBCACzXTDt6ZnyaVtueZASBzgnAmK13q9Urgch+sKYeIhdymjuMQta
x15OklctmrZtqre5kwPUosG3/B2/ikuPYElcHgGPL4uL5Em6S5C/oozfkYzhwRrT
SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ
7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa
buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v
yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAHNNUdpdEh1YiAod2ViLWZs
b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBiBBMBCAAW
BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEIACATWFmi2oxlBh3wAsySNCNV4IPf
DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6
9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws
+8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5
4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O
j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48=
=HXDP
b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBoBBMBCAAc
BQJZlGhBCRBK7hj4Ov3rIwIbAwUJDBJ3/wIZAQAA0O4IAJd0k8M+urETyMvTqNTj
/U6nbqyOdKE4V93uUj5G7sNTfno7wod/Qjj6Zv5KodvA93HmEdQqsmVq5YJ5KGiw
cmGCpd/GqJRPaYSY0hSUSBqYHiHLusCJkPBpQTBhcEMtfVCB2J6fVeoX2DV0K1xf
CGblrSVB0viAxUMnmL5C55RuvbYZsTu8szXhkvIR96CtWbJ8QGaEf1/KSpWz8ept
Y/omf3UPfvdOjnsxc8jVEqPNaR9xC6Q6t53rBa/XgMY6IYyesnyYnc5O6JuexUFa
VjykRFtAiYfDaMARpXOmgMm0lhoBRKb/uMUaN3CSYTmE4pZweJcUi7eWgmoQljX2
ut6ZAg0EZabFdgEQALI37i+IVAzpBCgqvQDZbSsZ0yhtMnA5myjZA+l7BvIGy4ve
s1bk6YetbBcCE8o2pQjI7N2rwyhLGhNO6ouSyhqGLEQv9fafKE4HFH0aRjP+gj1H
edhwtFoVChImhV863rWimQtTNtYB6GluBPwQqWfwmwQ2rT7ScOVZCLSHZD2gaaqW
BXOyTCZVnwt7K/gyDuE3qzDJnuahl+SSkPn5TtnZdW6sLORJJ+DjNvaUxEsmizZ4
IBzvj0QKxfS3s4F+0X5iqCMheLFeybZGtSq9Tjs6Q61l4CG8Bh6dsLemv0WFrk3G
gFQRr7XUwr1bo5xGHC/FUJSsxRHoVNJnIL/9WldNO2tGU6qlTnAYxs/fOmf2B6o5
cKXysXv7WAA8b+j5AVBMGxUSu7CLglaiCJC5DI7AAiUV7/t29rFZkam//Jbb4veC
4vvFocoVUaxrKGWK1BDldr4/WJKApJcPJF4Jtai1+oB6ak/JIjbkseHdJxcjo2B0
dKtIFoWiPAB+DFs9MRDpp0iwocJCh+ucus1rdQ54YMaI44rRphXeOIQMYCi5q2Q1
/arzkSiyPV/2VoKoAfdgskPt1xKd7WIKErmpFMHIy8jJ5IPQ1s2dUwU4alfJLJa0
pvaV2m7wBYFAmwmz0WZgFxYAYEDamn4jFoKfqsEgcixRUVE3w5VkqwSwGRbLABEB
AAG0G0dpdEh1YiA8bm9yZXBseUBnaXRodWIuY29tPokCTgQTAQoAOBYhBJaEeaGv
+SfjfRpWa7VpDu67lSGUBQJlpsV2AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
AAoJELVpDu67lSGUgy4QAKW9XAL416iKrQB2LElmxqAoenHVCswlau0xGLh5dVNN
p5f4/W6eEL8CZI7hfF3e5Gh6Me99aHgXSCK1QnxcqCJ6Oea4ZyrsNu3k6g7Um5ca
VbYFD4yIahhXDYHSw6FYM2sgFY479YvgvKRwacC2tFfChLRbHgwLJ3O1dBjmVycJ
Zpbyu+7taZ26g6KQfgcj3uuo3nz3p1ziIEpLHwtl/7joNEIIP/lJ8AKmUHPiGznN
6fxMvzN37PGMWtdvOi1rSNIMQYr1YY7jPnlLbFJwLrO/q/cGPU5HwGzlqh0a2ZqY
dnuwT3DREmgJ83H71xH+sTzZKs5oGlVTu6st7iWDvNpo2GoN01XzKa5caYglqsOC
uZ6IHlsdL50sXMtSROCi3hEWU9r1sWIm4k3pNz20y7lElD2X/MqbEMcgpawCV7lH
rm7MSrTgu6BNAF0SisbF9AKwXaBr2dwpMMyIBOFZO9mk4/c0n9q2FlGY4GkbgH2J
HqulFTwX/4yiQbh8gzCe+06FZAWITN1OQntTkkCQ+1MCZPf+bOfC08RTsOsVZIYB
2qAgw6XE0IF4a+PAtHSoYftwH2ocMY2gMuSNpQWm7m0+/j+K+RBoeUcnGNPQgszq
N60IDMqkqHjyubrm2aslfopWmPSvaQoyxwV/uztdo+UI0IV2z9gD7Sm49vMkpYp8
=uMz0
-----END PGP PUBLIC KEY BLOCK-----

4
salt/sys-print/README.md
View File

@ -64,12 +64,12 @@ sudo qubesctl --skip-dom0 --targets=tpl-sys-print state.apply sys-print.install-
On the client template:
```sh
sudo qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-print.install-client
sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-print.install-client
```
The client qube requires the split Print service to be enabled:
```sh
qvm-features QUBE service.print-setup 1
qvm-features QUBE service.print-client 1
```
## Access Control

25
salt/sys-print/files/client/systemd/qusal-print-forwarder.service
View File

@ -1,25 +0,0 @@
# SPDX-FileCopyrightText: 2023 unman <unman@thirdeyesecurity.org>
# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
[Unit]
Description=Print over Qrexec
After=qubes-sysinit.service
After=qubes-qrexec-agent.service
ConditionPathExists=/var/run/qubes-service/print-setup
[Service]
ExecStart=/usr/bin/socat TCP4-LISTEN:631,reuseaddr,fork,end-close EXEC:"qrexec-client-vm @default qusal.Print"
Restart=on-failure
RestartSec=3
# Hardening
ProtectSystem=full
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target

17
salt/sys-print/files/client/systemd/qusal-print-forwarder.socket Normal file
View File

@ -0,0 +1,17 @@
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
#
# SPDX-License-Identifier: AGPL-3.0-or-later
[Unit]
Description=Forward Print connection over Qrexec
After=qubes-sysinit.service
Before=qubes-qrexec-agent.service
ConditionPathExists=/var/run/qubes-service/print-client
[Socket]
ListenStream=127.0.0.1:631
BindToDevice=lo
Accept=true
[Install]
WantedBy=multi-user.target

11
salt/sys-print/files/client/systemd/qusal-print-forwarder@.service Normal file
View File

@ -0,0 +1,11 @@
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
#
# SPDX-License-Identifier: AGPL-3.0-or-later
[Unit]
Description=Forward Print connection over Qrexec
[Service]
ExecStart=/usr/bin/qrexec-client-vm @default qusal.Print
StandardInput=socket
StandardOutput=inherit

24
salt/sys-print/install-client.sls
View File

@ -5,24 +5,16 @@ SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
#}
"{{ slsdotpath }}-installed-client":
pkg.installed:
- require:
- sls: utils.tools.common.update
- install_recommends: False
- skip_suggestions: True
- pkgs:
- socat
"{{ slsdotpath }}-client-systemd-print-forwarder":
file.managed:
- name: /usr/lib/systemd/system/qusal-print-forwarder.service
- source: salt://{{ slsdotpath }}/files/client/systemd/qusal-print-forwarder.service
- mode: '0644'
"{{ slsdotpath }}-client-systemd":
file.recurse:
- name: /usr/lib/systemd/system/
- source: salt://{{ slsdotpath }}/files/client/systemd/
- file_mode: '0644'
- dir_mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-enable-systemd-service-print-forwarder":
"{{ slsdotpath }}-enable-systemd-service-print-forwarder.socket":
service.enabled:
- name: qusal-print-forwarder.service
- name: qusal-print-forwarder.socket

2
salt/sys-rsync/README.md
View File

@ -49,7 +49,7 @@ sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-rsync.install-clien
The client qube requires the Rsync forwarder service to be enabled:
```
qvm-features QUBE service.rsync-setup 1
qvm-features QUBE service.rsync-client 1
```
## Access Control

11
salt/sys-rsync/configure.sls
View File

@ -1,6 +1,6 @@
{#
SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
#}
@ -8,15 +8,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later
include:
- dev.home-cleanup
"{{ slsdotpath }}-start-rsync-on-boot":
file.managed:
- name: /rw/config/rc.local.d/50-sys-rsync.rc
- source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-rsync.rc
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-creates-local-rsync-configuration-dir":
file.directory:
- name: /usr/local/etc/rsync.d

1
salt/sys-rsync/create.sls
View File

@ -41,6 +41,7 @@ prefs:
features:
- enable:
- servicevm
- service.rsync-server
- disable:
- service.cups
- service.cups-browsed

4
salt/sys-rsync/files/client/systemd/qubes-rsync-forwarder.socket → salt/sys-rsync/files/client/systemd/qusal-rsync-forwarder.socket
View File

@ -3,9 +3,9 @@
# SPDX-License-Identifier: AGPL-3.0-or-later
[Unit]
Description=Forward connection to Rsync over Qrexec
Description=Forward Rsync connection over Qrexec
After=qubes-sysinit.service
ConditionPathExists=/var/run/qubes-service/rsync-setup
ConditionPathExists=/var/run/qubes-service/rsync-client
[Socket]
ListenStream=127.0.0.1:1839

2
salt/sys-rsync/files/client/systemd/qubes-rsync-forwarder@.service → salt/sys-rsync/files/client/systemd/qusal-rsync-forwarder@.service
View File

@ -3,7 +3,7 @@
# SPDX-License-Identifier: AGPL-3.0-or-later
[Unit]
Description=Forward connection to Rsync over Qrexec
Description=Forward Rsync connection over Qrexec
[Service]
ExecStart=/usr/bin/qrexec-client-vm @default qusal.Rsync

8
salt/sys-rsync/files/server/rc.local.d/50-sys-rsync.rc
View File

@ -1,8 +0,0 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
systemctl unmask rsync
systemctl --no-block restart rsync

8
salt/sys-rsync/files/server/systemd/rsync.service.d/50_qusal.conf Normal file
View File

@ -0,0 +1,8 @@
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
# vim: ft=systemd
[Unit]
ConditionPathExists=/var/run/qubes-service/rsync-server
After=qubes-sysinit.service
Before=qubes-qrexec-agent.service

4
salt/sys-rsync/install-client.sls
View File

@ -30,8 +30,8 @@ include:
- group: root
- makedirs: True
"{{ slsdotpath }}-client-systemd-start-qubes-rsync-forwarder.socket":
"{{ slsdotpath }}-client-systemd-enable-qusal-rsync-forwarder.socket":
service.enabled:
- name: qubes-rsync-forwarder.socket
- name: qusal-rsync-forwarder.socket
{% endif -%}

22
salt/sys-rsync/install.sls
View File

@ -20,16 +20,22 @@ include:
- rsync
- man-db
"{{ slsdotpath }}-stop-rsync":
service.dead:
"{{ slsdotpath }}-systemd":
file.recurse:
- name: /usr/lib/systemd/system/
- source: salt://{{ slsdotpath }}/files/server/systemd/
- dir_mode: '0755'
- file_mode: '0644'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-unmask-rsync":
service.unmasked:
- name: rsync
"{{ slsdotpath }}-disable-rsync":
service.disabled:
- name: rsync
"{{ slsdotpath }}-mask-rsync":
service.masked:
"{{ slsdotpath }}-enable-rsync":
service.enabled:
- name: rsync
"{{ slsdotpath }}-set-rsyncd.conf":

24
salt/sys-ssh-agent/README.md
View File

@ -150,7 +150,7 @@ Or you can manually add the key to the agent which are not located under the
`~/.ssh/identities.d` directory so they aren't automatically added (substitute
AGENT, SECS, and LIFE for their appropriate values):
```sh
SSH_AUTH_SOCK="/run/user/1000/qubes-ssh-agent/<AGENT>.sock" ssh-add -t <SECS> -f <FILE>
SSH_AUTH_SOCK="/run/user/1000/qusal-ssh-agent/<AGENT>.sock" ssh-add -t <SECS> -f <FILE>
```
#### Reload agent
@ -177,17 +177,17 @@ qvm-ssh-agent ls <AGENT>
Enable and start the connection to the SSH Agent via Qrexec for specified
`<AGENT>`:
```sh
sudo systemctl --no-block restart qubes-ssh-agent-forwarder@<AGENT>.service
sudo systemctl --no-block restart qubes-ssh-agent-forwarder@personal.service
sudo systemctl --no-block restart qusal-ssh-agent-forwarder@<AGENT>.service
sudo systemctl --no-block restart qusal-ssh-agent-forwarder@personal.service
```
You can start the service on boot if you place the above line
`/rw/config/rc.local` of the client.
The ssh-agent socket will be at `/tmp/qubes-ssh-agent-forwarder/<AGENT>.sock`.
The ssh-agent socket will be at `/tmp/qusal-ssh-agent-forwarder/<AGENT>.sock`.
You can test the connection is working with:
```sh
SSH_AUTH_SOCK="/tmp/qubes-ssh-agent-forwarder/personal.sock" ssh-add -l
SSH_AUTH_SOCK="/tmp/qusal-ssh-agent-forwarder/personal.sock" ssh-add -l
```
#### Single agent per client
@ -196,8 +196,8 @@ You might want to set the `SSH_AUTH_SOCK` and `SSH_AGENT_PID` environment
variables to point to the `work` agent so every connection will use the same
agent:
```sh
echo 'export SSH_AUTH_SOCK=/tmp/qubes-ssh-agent-forwarder/work.sock;
SSH_AGENT_PID="$(pgrep -f "/tmp/qubes-ssh-agent-forwarder/work.sock")";
echo 'export SSH_AUTH_SOCK=/tmp/qusal-ssh-agent-forwarder/work.sock;
SSH_AGENT_PID="$(pgrep -f "/tmp/qusal-ssh-agent-forwarder/work.sock")";
' | tee -a ~/.profile
```
@ -210,19 +210,19 @@ the `IdentityAgent` option.
You can control the SSH agent via SSH command-line option:
```sh
ssh -o IdentityAgent=/tmp/qubes-ssh-agent-forwarder/personal.sock personal-site.com
ssh -o IdentityAgent=/tmp/qubes-ssh-agent-forwarder/work.sock work-site.com
ssh -o IdentityAgent=/tmp/qusal-ssh-agent-forwarder/personal.sock personal-site.com
ssh -o IdentityAgent=/tmp/qusal-ssh-agent-forwarder/work.sock work-site.com
```
You can control the SSH agent via SSH configuration:
```sshconfig
Host personal
IdentityAgent /tmp/qubes-ssh-agent-forwarder/personal.sock
IdentityAgent /tmp/qusal-ssh-agent-forwarder/personal.sock
...
Host work
IdentityAgent /tmp/qubes-ssh-agent-forwarder/work.sock
IdentityAgent /tmp/qusal-ssh-agent-forwarder/work.sock
...
```
## Credits
- [Unman](https://github.com/unman/qubes-ssh-agent)
- [Unman](https://github.com/unman/qusal-ssh-agent)

4
salt/sys-ssh-agent/files/client/systemd/qubes-ssh-agent-forwarder@.service → salt/sys-ssh-agent/files/client/systemd/qusal-ssh-agent-forwarder@.service
View File

@ -1,9 +1,9 @@
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
[Unit]
Description=SSH Agent Forwarder to Qrexec SSH Agent %i
Description=Forward SSH Agent %i over Qrexec
[Service]
User=user

4
salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent
View File

@ -1,12 +1,12 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
set -eu
service="qubes-ssh-agent"
service="qusal-ssh-agent"
usage(){
echo "Usage: ${0##*/} [ls|add] <AGENT>

2
salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent
View File

@ -24,7 +24,7 @@ if test "${#untrusted_agent}" -gt 128; then
fi
agent="${untrusted_agent}"
socket="/tmp/qubes-ssh-agent/${agent}.sock"
socket="/tmp/qusal-ssh-agent/${agent}.sock"
qvm-ssh-agent add "${agent}" >/dev/null
exec socat STDIO UNIX-CLIENT:"${socket}"

3
salt/sys-ssh/README.md
View File

@ -39,7 +39,6 @@ sudo qubesctl top.disable sys-ssh
```sh
sudo qubesctl state.apply sys-ssh.create
sudo qubesctl --skip-dom0 --targets=tpl-sys-ssh state.apply sys-ssh.install
sudo qubesctl --skip-dom0 --targets=sys-ssh state.apply sys-ssh.configure
```
<!-- pkg:end:post-install -->
@ -50,7 +49,7 @@ sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-ssh.install-client
The client qube requires the SSH forwarder service to be enabled:
```
qvm-features QUBE service.ssh-setup 1
qvm-features QUBE service.ssh-client 1
```
## Access Control

30
salt/sys-ssh/configure.sls
View File

@ -1,30 +0,0 @@
{#
SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
#}
{% if grains['nodename'] != 'dom0' -%}
include:
- dev.home-cleanup
"{{ slsdotpath }}-start-ssh-on-boot":
file.managed:
- name: /rw/config/rc.local.d/50-sys-ssh.rc
- source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-ssh.rc
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-creates-home-ssh-dir":
file.directory:
- name: /home/user/.ssh
- mode: '0700'
- user: user
- group: user
- makedirs: True
{% endif -%}

9
salt/sys-ssh/configure.top
View File

@ -1,9 +0,0 @@
{#
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
#}
base:
'sys-ssh':
- sys-ssh.configure

1
salt/sys-ssh/create.sls
View File

@ -41,6 +41,7 @@ prefs:
features:
- enable:
- servicevm
- service.ssh-server
- disable:
- service.cups
- service.cups-browsed

11
salt/sys-ssh/files/client/ssh_config.d/50-qusal-sys-ssh.conf Normal file
View File

@ -0,0 +1,11 @@
# vim: ft=sshconfig
# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
Host default-qubes-server
Hostname 127.0.0.1
User user
Port 1840
StrictHostKeyChecking no

17
salt/sys-ssh/files/client/systemd/qusal-ssh-forwarder.socket Normal file
View File

@ -0,0 +1,17 @@
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
#
# SPDX-License-Identifier: AGPL-3.0-or-later
[Unit]
Description=Forward SSH connection over Qrexec
After=qubes-sysinit.service
Before=qubes-qrexec-agent.service
ConditionPathExists=/var/run/qubes-service/ssh-client
[Socket]
ListenStream=127.0.0.1:1840
BindToDevice=lo
Accept=true
[Install]
WantedBy=multi-user.target

4
salt/sys-ssh/files/client/systemd/qubes-ssh-forwarder@.service → salt/sys-ssh/files/client/systemd/qusal-ssh-forwarder@.service
View File

@ -1,9 +1,9 @@
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
#
# SPDX-License-Identifier: AGPL-3.0-or-later
[Unit]
Description=Forward connection to SSH over Qrexec
Description=Forward SSH connection over Qrexec
[Service]
ExecStart=/usr/bin/qrexec-client-vm @default qusal.Ssh

8
salt/sys-ssh/files/server/rc.local.d/50-sys-ssh.rc
View File

@ -1,8 +0,0 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
systemctl unmask ssh
systemctl --no-block restart ssh

0
salt/sys-ssh/files/server/sshd_config.d/sys-ssh.conf → salt/sys-ssh/files/server/sshd_config.d/50-qusal-sys-ssh.conf
View File

8
salt/sys-ssh/files/server/systemd/ssh.service.d/50_qusal.conf Normal file
View File

@ -0,0 +1,8 @@
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
# vim: ft=systemd
[Unit]
ConditionPathExists=/var/run/qubes-service/ssh-server
After=qubes-sysinit.service
Before=qubes-qrexec-agent.service

2
salt/sys-ssh/init.top
View File

@ -10,5 +10,3 @@ base:
- sys-ssh.create
'tpl-sys-ssh':
- sys-ssh.install
'sys-ssh':
- sys-ssh.configure

13
salt/sys-ssh/install-client.sls
View File

@ -28,6 +28,15 @@ include:
- skip_suggestions: True
- pkgs: {{ pkg.pkg|sequence|yaml }}
"{{ slsdotpath }}-ssh-config":
file.managed:
- name: /etc/ssh/ssh_config.d/50-qusal-{{ slsdotpath }}.conf
- source: salt://{{ slsdotpath }}/files/client/ssh_config.d/50-qusal-{{ slsdotpath }}.conf
- mode: '0644'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-client-systemd":
file.recurse:
- name: /usr/lib/systemd/system/
@ -38,8 +47,8 @@ include:
- group: root
- makedirs: True
"{{ slsdotpath }}-client-systemd-start-qubes-ssh-forwarder.socket":
"{{ slsdotpath }}-client-systemd-start-qusal-ssh-forwarder.socket":
service.enabled:
- name: qubes-ssh-forwarder.socket
- name: qusal-ssh-forwarder.socket
{% endif -%}

27
salt/sys-ssh/install.sls
View File

@ -20,16 +20,21 @@ include:
- openssh-server
- man-db
"{{ slsdotpath }}-stop-ssh":
service.dead:
"{{ slsdotpath }}-ssh-systemd-service":
file.managed:
- name: /usr/lib/systemd/system/ssh.service.d/50_qusal.conf
- source: salt://{{ slsdotpath }}/files/server/systemd/ssh.service.d/50_qusal.conf
- mode: '0644'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-unmask-ssh":
service.unmasked:
- name: ssh
"{{ slsdotpath }}-disable-ssh":
service.disabled:
- name: ssh
"{{ slsdotpath }}-mask-ssh":
service.masked:
"{{ slsdotpath }}-enable-ssh":
service.enabled:
- name: ssh
"{{ slsdotpath }}-rpc":
@ -52,9 +57,9 @@ include:
"{{ slsdotpath }}-sshd-config":
file.managed:
- name: /etc/ssh/sshd_config.d/{{ slsdotpath }}.conf
- source: salt://{{ slsdotpath }}/files/server/sshd_config.d/{{ slsdotpath }}.conf
- mode: '0755'
- name: /etc/ssh/sshd_config.d/50-qusal-{{ slsdotpath }}.conf
- source: salt://{{ slsdotpath }}/files/server/sshd_config.d/50-qusal-{{ slsdotpath }}.conf
- mode: '0644'
- user: root
- group: root
- makedirs: True

11
salt/sys-syncthing/README.md
View File

@ -52,9 +52,11 @@ Install Syncthing on the client template:
sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-syncthing.install-client
```
The client qube requires the split Syncthing service to be enabled:
The client qube requires the split Syncthing and the Syncthing Daemon service
to be enabled:
```sh
qvm-features QUBE service.syncthing-setup 1
qvm-features QUBE service.syncthing-client 1
qvm-features QUBE service.syncthing-server 1
```
## Access Control
@ -87,8 +89,8 @@ interface. In other words, it has control over the server functions, if the
browser is compromised, it can compromise the server.
To use the service, from the client, add a Remote Device, and copy the
`DeviceID` from the server qube. On the Advanced tab, under Addresses, change
`dynamic` to `tcp://127.0.0.1:22001`
`DeviceID` from the server qube. On the `Advanced` tab, under `Addresses`,
change `dynamic` to `tcp://127.0.0.1:22001`
If the sender qube has no netvm set, under `Settings`, disable `Enable NAT
traversal`, `Local Discovery`, `Global Discovery`, and `Enable Relaying`
@ -119,7 +121,6 @@ Uninstallation procedure:
```sh
qvm-port-forward -a del -q sys-syncthing -n tcp -p 22000
qvm-port-forward -a del -q sys-syncthing -n udp -p 22000
sudo qubesctl --skip-dom0 --targets=sys-syncthing state.apply sys-syncthing.cancel
sudo qubesctl state.apply sys-syncthing.clean
```
<!-- pkg:end:preun-uninstall -->

9
salt/sys-syncthing/cancel.sls
View File

@ -1,9 +0,0 @@
{#
SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
SPDX-License-Identifier: AGPL-3.0-or-later
#}
"{{ slsdotpath }}-remove-service-from-rc.local":
file.absent:
- name: /rw/config/rc.local.d/50-sys-syncthing.rc

9
salt/sys-syncthing/cancel.top
View File

@ -1,9 +0,0 @@
{#
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
#}
base:
'sys-syncthing':
- sys-syncthing.configure

6
salt/sys-syncthing/clean.sls
View File

@ -11,5 +11,11 @@ SPDX-License-Identifier: AGPL-3.0-or-later
- flags:
- force
"{{ slsdotpath }}-stop-syncthing-from-starting":
qvm.features:
- name: {{ slsdotpath }}
- disable:
- service.syncthing-server
{% from 'utils/macros/policy.sls' import policy_unset with context -%}
{{ policy_unset(sls_path, '80') }}

9
salt/sys-syncthing/configure-browser.sls
View File

@ -18,6 +18,15 @@ include:
- group: root
- makedirs: True
"{{ slsdotpath }}-browser-systemd-services":
file.recurse:
- name: /rw/config/systemd/
- source: salt://{{ slsdotpath }}/files/browser/systemd/
- dir_mode: '0755'
- file_mode: '0644'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-browser-desktop-application":
file.managed:

11
salt/sys-syncthing/configure.sls
View File

@ -1,5 +1,4 @@
{#
SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
@ -7,12 +6,4 @@ SPDX-License-Identifier: AGPL-3.0-or-later
include:
- dotfiles.copy-xfce
"{{ slsdotpath }}-rc.local":
file.managed:
- name: /rw/config/rc.local.d/50-sys-syncthing.rc
- source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-syncthing.rc
- mode: '0755'
- user: root
- group: root
- makedirs: True
- dotfiles.copy-x11

3
salt/sys-syncthing/create.sls
View File

@ -56,6 +56,7 @@ prefs:
features:
- enable:
- servicevm
- service.syncthing-server
- disable:
- service.cups
- service.cups-browsed
@ -83,6 +84,8 @@ prefs:
- autostart: False
- include_in_backups: False
features:
- enable:
- service.syncthing-browser
- disable:
- service.cups
- service.cups-browsed

6
salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc
View File

@ -1,7 +1,9 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
qvm-connect-tcp 8384:@default:8384
cp -r /rw/config/systemd/qusal-syncthing-browser-forwarder* /usr/lib/systemd/system/
systemctl daemon-reload
systemctl --no-block restart qusal-syncthing-browser-forwarder.socket

17
salt/sys-syncthing/files/browser/systemd/qusal-syncthing-browser-forwarder.socket Normal file
View File

@ -0,0 +1,17 @@
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
#
# SPDX-License-Identifier: AGPL-3.0-or-later
[Unit]
Description=Forward Syncthing Admin Panel connection over Qrexec
After=qubes-sysinit.service
Before=qubes-qrexec-agent.service
ConditionPathExists=/var/run/qubes-service/syncthing-browser
[Socket]
ListenStream=127.0.0.1:8384
BindToDevice=lo
Accept=true
[Install]
WantedBy=multi-user.target

11
salt/sys-syncthing/files/browser/systemd/qusal-syncthing-browser-forwarder@.service Normal file
View File

@ -0,0 +1,11 @@
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
#
# SPDX-License-Identifier: AGPL-3.0-or-later
[Unit]
Description=Forward Syncthing Admin Panel connection over Qrexec
[Service]
ExecStart=/usr/bin/qrexec-client-vm @default qubes.ConnectTCP+8384
StandardInput=socket
StandardOutput=inherit

25
salt/sys-syncthing/files/client/systemd/qubes-syncthing-forwarder.service
View File

@ -1,25 +0,0 @@
## SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
## SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
##
## SPDX-License-Identifier: AGPL-3.0-or-later
[Unit]
Description=Syncthing over Qrexec
After=qubes-sysinit.service
After=qubes-qrexec-agent.service
ConditionPathExists=/var/run/qubes-service/syncthing-setup
[Service]
ExecStart=/usr/bin/socat TCP4-LISTEN:22001,reuseaddr,fork,end-close EXEC:"qrexec-client-vm @default qusal.Syncthing"
Restart=on-failure
RestartSec=3
# Hardening
ProtectSystem=full
PrivateTmp=true
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target

17
salt/sys-syncthing/files/client/systemd/qusal-syncthing-forwarder.socket Normal file
View File

@ -0,0 +1,17 @@
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
#
# SPDX-License-Identifier: AGPL-3.0-or-later
[Unit]
Description=Forward Syncthing connection over Qrexec
After=qubes-sysinit.service
Before=qubes-qrexec-agent.service
ConditionPathExists=/var/run/qubes-service/syncthing-client
[Socket]
ListenStream=127.0.0.1:22001
BindToDevice=lo
Accept=true
[Install]
WantedBy=multi-user.target

Some files were not shown because too many files have changed in this diff Show More