From a564b3a7039a659ed2d354ce4264638da4f6ad96 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Thu, 13 Jun 2024 18:01:08 +0200 Subject: [PATCH] feat: add TCP proxy for remote hosts Ideally, it would be a Qrexec socket service, but it doesn't handle DNS, only accepting IPs. The dev qube is now non-networked and network, especially to remote git repositories can be acquired via the proxy that is going to be installed in every netvm. --- salt/ansible/install.sls | 2 + salt/dev/create.sls | 2 + salt/dev/install.sls | 1 - salt/ssh/install.sls | 28 -------------- salt/sys-firewall/install.sls | 1 + .../sys-net/files/server/rpc/qusal.ConnectTCP | 37 +++++++++++++++++++ salt/sys-net/install-proxy.sls | 32 ++++++++++++++++ salt/sys-net/install-proxy.top | 9 +++++ salt/sys-net/install.sls | 1 + salt/sys-pihole/install.sls | 1 + salt/sys-ssh-agent/install-client.sls | 2 - salt/sys-ssh-agent/install.sls | 2 - salt/sys-wireguard/install.sls | 1 + 13 files changed, 86 insertions(+), 33 deletions(-) create mode 100755 salt/sys-net/files/server/rpc/qusal.ConnectTCP create mode 100644 salt/sys-net/install-proxy.sls create mode 100644 salt/sys-net/install-proxy.top diff --git a/salt/ansible/install.sls b/salt/ansible/install.sls index 0386a27..a512335 100644 --- a/salt/ansible/install.sls +++ b/salt/ansible/install.sls @@ -20,6 +20,8 @@ include: - install_recommends: False - skip_suggestions: True - pkgs: + - qubes-core-agent-networking + - ca-certificates - ansible - ansible-lint - python3-argcomplete diff --git a/salt/dev/create.sls b/salt/dev/create.sls index 748cdb5..d87a5e2 100644 --- a/salt/dev/create.sls +++ b/salt/dev/create.sls @@ -30,6 +30,7 @@ present: prefs: - template: tpl-{{ slsdotpath }} - label: purple +- netvm: "" - audiovm: "" - vcpus: 1 - memory: 400 @@ -39,6 +40,7 @@ prefs: features: - enable: - service.split-gpg2-client + - service.qusal-proxy-client - service.crond - disable: - service.cups diff --git a/salt/dev/install.sls b/salt/dev/install.sls index 1709a48..4f7a111 100644 --- a/salt/dev/install.sls +++ b/salt/dev/install.sls @@ -26,7 +26,6 @@ include: - pkgs: ## Necessary - qubes-core-agent-passwordless-root - - qubes-core-agent-networking - ca-certificates - git - gnupg2 diff --git a/salt/ssh/install.sls b/salt/ssh/install.sls index e5206a4..42d53ac 100644 --- a/salt/ssh/install.sls +++ b/salt/ssh/install.sls @@ -12,32 +12,4 @@ include: - dotfiles.copy-x11 - dotfiles.copy-ssh -"{{ slsdotpath }}-client-installed": - pkg.installed: - - require: - - sls: utils.tools.common.update - - install_recommends: False - - skip_suggestions: True - - pkgs: - - qubes-core-agent-networking - - ca-certificates - - man-db - -{% set pkg = { - 'Debian': { - 'pkg': ['openssh-client'], - }, - 'RedHat': { - 'pkg': ['openssh-clients'], - }, -}.get(grains.os_family) -%} - -"{{ slsdotpath }}-client-installed-os-specific": - pkg.installed: - - require: - - sls: utils.tools.common.update - - install_recommends: False - - skip_suggestions: True - - pkgs: {{ pkg.pkg|sequence|yaml }} - {% endif %} diff --git a/salt/sys-firewall/install.sls b/salt/sys-firewall/install.sls index 7292af8..e6f99d9 100644 --- a/salt/sys-firewall/install.sls +++ b/salt/sys-firewall/install.sls @@ -8,6 +8,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later include: - utils.tools.common.update + - sys-net.install-proxy "{{ slsdotpath }}-installed": pkg.installed: diff --git a/salt/sys-net/files/server/rpc/qusal.ConnectTCP b/salt/sys-net/files/server/rpc/qusal.ConnectTCP new file mode 100755 index 0000000..4e97658 --- /dev/null +++ b/salt/sys-net/files/server/rpc/qusal.ConnectTCP @@ -0,0 +1,37 @@ +#!/bin/sh + +## SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. +## +## SPDX-License-Identifier: AGPL-3.0-or-later + +## How to use with SSH? +## On Dom0 Qrexec policy: +## qusal.ConnectTCP +domain.tld+22 sshclient @default ask default_target=sshproxy +## On Dom0, enable the "qusal-proxy-client" service for the client qube: +## qvm-features sshclient service.qusal-proxy-client 1 +## On the SSH Proxy server (netvm of your liking), install this RPC service. +## qubesctl --skip-dom0 --targets=sshproxy state.apply sys-net.install-proxy +## On the client ssh configuration: +## Match Exec "test -f /var/run/qubes-service/qusal-proxy-client" +## ProxyCommand qrexec-client-vm @default qusal.ConnectTCP+%h+%p + +set -eu + +arg="${QREXEC_SERVICE_ARGUMENT}" +host="${arg%%+*}" +port="${arg##*+}" + +if test -z "${port}" || test -z "${host}" || test "${port}" = "${host}"; then + echo "Missing either host, port or both" >&2 + exit 1 +fi +if test "${#host}" -gt 256; then + echo "Host size exceeds limit" >&2 + exit 1 +fi +if test "${#port}" -gt 5 || test "${port}" -gt 65535; then + echo "Invalid port number, it must be between 1 and 65535" >&2 + exit 1 +fi + +exec socat - "TCP:${host}:${port}" diff --git a/salt/sys-net/install-proxy.sls b/salt/sys-net/install-proxy.sls new file mode 100644 index 0000000..82a159e --- /dev/null +++ b/salt/sys-net/install-proxy.sls @@ -0,0 +1,32 @@ +{# +SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +{% if grains['nodename'] != 'dom0' -%} + +include: + - utils.tools.common.update + +"{{ slsdotpath }}-proxy-installed": + pkg.installed: + - require: + - sls: utils.tools.common.update + - install_recommends: False + - skip_suggestions: True + - pkgs: + - socat + +"{{ slsdotpath }}-proxy-rpc": + file.recurse: + - require: + - pkg: "{{ slsdotpath }}-proxy-installed" + - name: /etc/qubes-rpc/ + - source: salt://{{ slsdotpath }}/files/server/rpc + - user: root + - group: root + - file_mode: '0755' + - dir_mode: '0755' + +{% endif %} diff --git a/salt/sys-net/install-proxy.top b/salt/sys-net/install-proxy.top new file mode 100644 index 0000000..fb2d46b --- /dev/null +++ b/salt/sys-net/install-proxy.top @@ -0,0 +1,9 @@ +{# +SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +base: + '*': + - sys-net.install-proxy diff --git a/salt/sys-net/install.sls b/salt/sys-net/install.sls index 8588439..101f3b0 100644 --- a/salt/sys-net/install.sls +++ b/salt/sys-net/install.sls @@ -9,6 +9,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later include: - utils.tools.common.update - dotfiles.copy-x11 + - sys-net.install-proxy "{{ slsdotpath }}-installed": pkg.installed: diff --git a/salt/sys-pihole/install.sls b/salt/sys-pihole/install.sls index f592208..1c96ac2 100644 --- a/salt/sys-pihole/install.sls +++ b/salt/sys-pihole/install.sls @@ -12,6 +12,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later include: - utils.tools.common.update - sys-cacher.uninstall-client + - sys-net.install-proxy - dotfiles.copy-x11 "{{ slsdotpath }}-installed": diff --git a/salt/sys-ssh-agent/install-client.sls b/salt/sys-ssh-agent/install-client.sls index 366b388..33692fb 100644 --- a/salt/sys-ssh-agent/install-client.sls +++ b/salt/sys-ssh-agent/install-client.sls @@ -20,8 +20,6 @@ include: - install_recommends: False - skip_suggestions: True - pkgs: - - qubes-core-agent-networking - - ca-certificates - socat - man-db diff --git a/salt/sys-ssh-agent/install.sls b/salt/sys-ssh-agent/install.sls index 4ad5a86..6896865 100644 --- a/salt/sys-ssh-agent/install.sls +++ b/salt/sys-ssh-agent/install.sls @@ -20,8 +20,6 @@ include: - install_recommends: False - skip_suggestions: True - pkgs: - - qubes-core-agent-networking - - ca-certificates - socat - man-db diff --git a/salt/sys-wireguard/install.sls b/salt/sys-wireguard/install.sls index d5792c2..4f0bca7 100644 --- a/salt/sys-wireguard/install.sls +++ b/salt/sys-wireguard/install.sls @@ -9,6 +9,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later include: - utils.tools.common.update + - sys-net.install-proxy {# "{{ slsdotpath }}-qvpn-group":