mirror of
https://github.com/ben-grande/qusal.git
synced 2024-12-25 07:29:37 -05:00
feat: add TCP proxy for remote hosts
Ideally, it would be a Qrexec socket service, but it doesn't handle DNS, only accepting IPs. The dev qube is now non-networked and network, especially to remote git repositories can be acquired via the proxy that is going to be installed in every netvm.
This commit is contained in:
parent
61e968cd7b
commit
a564b3a703
@ -20,6 +20,8 @@ include:
|
|||||||
- install_recommends: False
|
- install_recommends: False
|
||||||
- skip_suggestions: True
|
- skip_suggestions: True
|
||||||
- pkgs:
|
- pkgs:
|
||||||
|
- qubes-core-agent-networking
|
||||||
|
- ca-certificates
|
||||||
- ansible
|
- ansible
|
||||||
- ansible-lint
|
- ansible-lint
|
||||||
- python3-argcomplete
|
- python3-argcomplete
|
||||||
|
@ -30,6 +30,7 @@ present:
|
|||||||
prefs:
|
prefs:
|
||||||
- template: tpl-{{ slsdotpath }}
|
- template: tpl-{{ slsdotpath }}
|
||||||
- label: purple
|
- label: purple
|
||||||
|
- netvm: ""
|
||||||
- audiovm: ""
|
- audiovm: ""
|
||||||
- vcpus: 1
|
- vcpus: 1
|
||||||
- memory: 400
|
- memory: 400
|
||||||
@ -39,6 +40,7 @@ prefs:
|
|||||||
features:
|
features:
|
||||||
- enable:
|
- enable:
|
||||||
- service.split-gpg2-client
|
- service.split-gpg2-client
|
||||||
|
- service.qusal-proxy-client
|
||||||
- service.crond
|
- service.crond
|
||||||
- disable:
|
- disable:
|
||||||
- service.cups
|
- service.cups
|
||||||
|
@ -26,7 +26,6 @@ include:
|
|||||||
- pkgs:
|
- pkgs:
|
||||||
## Necessary
|
## Necessary
|
||||||
- qubes-core-agent-passwordless-root
|
- qubes-core-agent-passwordless-root
|
||||||
- qubes-core-agent-networking
|
|
||||||
- ca-certificates
|
- ca-certificates
|
||||||
- git
|
- git
|
||||||
- gnupg2
|
- gnupg2
|
||||||
|
@ -12,32 +12,4 @@ include:
|
|||||||
- dotfiles.copy-x11
|
- dotfiles.copy-x11
|
||||||
- dotfiles.copy-ssh
|
- dotfiles.copy-ssh
|
||||||
|
|
||||||
"{{ slsdotpath }}-client-installed":
|
|
||||||
pkg.installed:
|
|
||||||
- require:
|
|
||||||
- sls: utils.tools.common.update
|
|
||||||
- install_recommends: False
|
|
||||||
- skip_suggestions: True
|
|
||||||
- pkgs:
|
|
||||||
- qubes-core-agent-networking
|
|
||||||
- ca-certificates
|
|
||||||
- man-db
|
|
||||||
|
|
||||||
{% set pkg = {
|
|
||||||
'Debian': {
|
|
||||||
'pkg': ['openssh-client'],
|
|
||||||
},
|
|
||||||
'RedHat': {
|
|
||||||
'pkg': ['openssh-clients'],
|
|
||||||
},
|
|
||||||
}.get(grains.os_family) -%}
|
|
||||||
|
|
||||||
"{{ slsdotpath }}-client-installed-os-specific":
|
|
||||||
pkg.installed:
|
|
||||||
- require:
|
|
||||||
- sls: utils.tools.common.update
|
|
||||||
- install_recommends: False
|
|
||||||
- skip_suggestions: True
|
|
||||||
- pkgs: {{ pkg.pkg|sequence|yaml }}
|
|
||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -8,6 +8,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
|||||||
|
|
||||||
include:
|
include:
|
||||||
- utils.tools.common.update
|
- utils.tools.common.update
|
||||||
|
- sys-net.install-proxy
|
||||||
|
|
||||||
"{{ slsdotpath }}-installed":
|
"{{ slsdotpath }}-installed":
|
||||||
pkg.installed:
|
pkg.installed:
|
||||||
|
37
salt/sys-net/files/server/rpc/qusal.ConnectTCP
Executable file
37
salt/sys-net/files/server/rpc/qusal.ConnectTCP
Executable file
@ -0,0 +1,37 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
## SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||||
|
##
|
||||||
|
## SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
## How to use with SSH?
|
||||||
|
## On Dom0 Qrexec policy:
|
||||||
|
## qusal.ConnectTCP +domain.tld+22 sshclient @default ask default_target=sshproxy
|
||||||
|
## On Dom0, enable the "qusal-proxy-client" service for the client qube:
|
||||||
|
## qvm-features sshclient service.qusal-proxy-client 1
|
||||||
|
## On the SSH Proxy server (netvm of your liking), install this RPC service.
|
||||||
|
## qubesctl --skip-dom0 --targets=sshproxy state.apply sys-net.install-proxy
|
||||||
|
## On the client ssh configuration:
|
||||||
|
## Match Exec "test -f /var/run/qubes-service/qusal-proxy-client"
|
||||||
|
## ProxyCommand qrexec-client-vm @default qusal.ConnectTCP+%h+%p
|
||||||
|
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
arg="${QREXEC_SERVICE_ARGUMENT}"
|
||||||
|
host="${arg%%+*}"
|
||||||
|
port="${arg##*+}"
|
||||||
|
|
||||||
|
if test -z "${port}" || test -z "${host}" || test "${port}" = "${host}"; then
|
||||||
|
echo "Missing either host, port or both" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if test "${#host}" -gt 256; then
|
||||||
|
echo "Host size exceeds limit" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if test "${#port}" -gt 5 || test "${port}" -gt 65535; then
|
||||||
|
echo "Invalid port number, it must be between 1 and 65535" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
exec socat - "TCP:${host}:${port}"
|
32
salt/sys-net/install-proxy.sls
Normal file
32
salt/sys-net/install-proxy.sls
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
{#
|
||||||
|
SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||||
|
|
||||||
|
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
#}
|
||||||
|
|
||||||
|
{% if grains['nodename'] != 'dom0' -%}
|
||||||
|
|
||||||
|
include:
|
||||||
|
- utils.tools.common.update
|
||||||
|
|
||||||
|
"{{ slsdotpath }}-proxy-installed":
|
||||||
|
pkg.installed:
|
||||||
|
- require:
|
||||||
|
- sls: utils.tools.common.update
|
||||||
|
- install_recommends: False
|
||||||
|
- skip_suggestions: True
|
||||||
|
- pkgs:
|
||||||
|
- socat
|
||||||
|
|
||||||
|
"{{ slsdotpath }}-proxy-rpc":
|
||||||
|
file.recurse:
|
||||||
|
- require:
|
||||||
|
- pkg: "{{ slsdotpath }}-proxy-installed"
|
||||||
|
- name: /etc/qubes-rpc/
|
||||||
|
- source: salt://{{ slsdotpath }}/files/server/rpc
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- file_mode: '0755'
|
||||||
|
- dir_mode: '0755'
|
||||||
|
|
||||||
|
{% endif %}
|
9
salt/sys-net/install-proxy.top
Normal file
9
salt/sys-net/install-proxy.top
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
{#
|
||||||
|
SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||||
|
|
||||||
|
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
#}
|
||||||
|
|
||||||
|
base:
|
||||||
|
'*':
|
||||||
|
- sys-net.install-proxy
|
@ -9,6 +9,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
|||||||
include:
|
include:
|
||||||
- utils.tools.common.update
|
- utils.tools.common.update
|
||||||
- dotfiles.copy-x11
|
- dotfiles.copy-x11
|
||||||
|
- sys-net.install-proxy
|
||||||
|
|
||||||
"{{ slsdotpath }}-installed":
|
"{{ slsdotpath }}-installed":
|
||||||
pkg.installed:
|
pkg.installed:
|
||||||
|
@ -12,6 +12,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
|||||||
include:
|
include:
|
||||||
- utils.tools.common.update
|
- utils.tools.common.update
|
||||||
- sys-cacher.uninstall-client
|
- sys-cacher.uninstall-client
|
||||||
|
- sys-net.install-proxy
|
||||||
- dotfiles.copy-x11
|
- dotfiles.copy-x11
|
||||||
|
|
||||||
"{{ slsdotpath }}-installed":
|
"{{ slsdotpath }}-installed":
|
||||||
|
@ -20,8 +20,6 @@ include:
|
|||||||
- install_recommends: False
|
- install_recommends: False
|
||||||
- skip_suggestions: True
|
- skip_suggestions: True
|
||||||
- pkgs:
|
- pkgs:
|
||||||
- qubes-core-agent-networking
|
|
||||||
- ca-certificates
|
|
||||||
- socat
|
- socat
|
||||||
- man-db
|
- man-db
|
||||||
|
|
||||||
|
@ -20,8 +20,6 @@ include:
|
|||||||
- install_recommends: False
|
- install_recommends: False
|
||||||
- skip_suggestions: True
|
- skip_suggestions: True
|
||||||
- pkgs:
|
- pkgs:
|
||||||
- qubes-core-agent-networking
|
|
||||||
- ca-certificates
|
|
||||||
- socat
|
- socat
|
||||||
- man-db
|
- man-db
|
||||||
|
|
||||||
|
@ -9,6 +9,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
|||||||
|
|
||||||
include:
|
include:
|
||||||
- utils.tools.common.update
|
- utils.tools.common.update
|
||||||
|
- sys-net.install-proxy
|
||||||
|
|
||||||
{#
|
{#
|
||||||
"{{ slsdotpath }}-qvpn-group":
|
"{{ slsdotpath }}-qvpn-group":
|
||||||
|
Loading…
Reference in New Issue
Block a user