feat: add TCP proxy for remote hosts

Ideally, it would be a Qrexec socket service, but it doesn't handle DNS,
only accepting IPs. The dev qube is now non-networked and network,
especially to remote git repositories can be acquired via the proxy that
is going to be installed in every netvm.
This commit is contained in:
Ben Grande 2024-06-13 18:01:08 +02:00
parent 61e968cd7b
commit a564b3a703
No known key found for this signature in database
GPG Key ID: 00C64E14F51F9E56
13 changed files with 86 additions and 33 deletions

View File

@ -20,6 +20,8 @@ include:
- install_recommends: False
- skip_suggestions: True
- pkgs:
- qubes-core-agent-networking
- ca-certificates
- ansible
- ansible-lint
- python3-argcomplete

View File

@ -30,6 +30,7 @@ present:
prefs:
- template: tpl-{{ slsdotpath }}
- label: purple
- netvm: ""
- audiovm: ""
- vcpus: 1
- memory: 400
@ -39,6 +40,7 @@ prefs:
features:
- enable:
- service.split-gpg2-client
- service.qusal-proxy-client
- service.crond
- disable:
- service.cups

View File

@ -26,7 +26,6 @@ include:
- pkgs:
## Necessary
- qubes-core-agent-passwordless-root
- qubes-core-agent-networking
- ca-certificates
- git
- gnupg2

View File

@ -12,32 +12,4 @@ include:
- dotfiles.copy-x11
- dotfiles.copy-ssh
"{{ slsdotpath }}-client-installed":
pkg.installed:
- require:
- sls: utils.tools.common.update
- install_recommends: False
- skip_suggestions: True
- pkgs:
- qubes-core-agent-networking
- ca-certificates
- man-db
{% set pkg = {
'Debian': {
'pkg': ['openssh-client'],
},
'RedHat': {
'pkg': ['openssh-clients'],
},
}.get(grains.os_family) -%}
"{{ slsdotpath }}-client-installed-os-specific":
pkg.installed:
- require:
- sls: utils.tools.common.update
- install_recommends: False
- skip_suggestions: True
- pkgs: {{ pkg.pkg|sequence|yaml }}
{% endif %}

View File

@ -8,6 +8,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
include:
- utils.tools.common.update
- sys-net.install-proxy
"{{ slsdotpath }}-installed":
pkg.installed:

View File

@ -0,0 +1,37 @@
#!/bin/sh
## SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
##
## SPDX-License-Identifier: AGPL-3.0-or-later
## How to use with SSH?
## On Dom0 Qrexec policy:
## qusal.ConnectTCP +domain.tld+22 sshclient @default ask default_target=sshproxy
## On Dom0, enable the "qusal-proxy-client" service for the client qube:
## qvm-features sshclient service.qusal-proxy-client 1
## On the SSH Proxy server (netvm of your liking), install this RPC service.
## qubesctl --skip-dom0 --targets=sshproxy state.apply sys-net.install-proxy
## On the client ssh configuration:
## Match Exec "test -f /var/run/qubes-service/qusal-proxy-client"
## ProxyCommand qrexec-client-vm @default qusal.ConnectTCP+%h+%p
set -eu
arg="${QREXEC_SERVICE_ARGUMENT}"
host="${arg%%+*}"
port="${arg##*+}"
if test -z "${port}" || test -z "${host}" || test "${port}" = "${host}"; then
echo "Missing either host, port or both" >&2
exit 1
fi
if test "${#host}" -gt 256; then
echo "Host size exceeds limit" >&2
exit 1
fi
if test "${#port}" -gt 5 || test "${port}" -gt 65535; then
echo "Invalid port number, it must be between 1 and 65535" >&2
exit 1
fi
exec socat - "TCP:${host}:${port}"

View File

@ -0,0 +1,32 @@
{#
SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
#}
{% if grains['nodename'] != 'dom0' -%}
include:
- utils.tools.common.update
"{{ slsdotpath }}-proxy-installed":
pkg.installed:
- require:
- sls: utils.tools.common.update
- install_recommends: False
- skip_suggestions: True
- pkgs:
- socat
"{{ slsdotpath }}-proxy-rpc":
file.recurse:
- require:
- pkg: "{{ slsdotpath }}-proxy-installed"
- name: /etc/qubes-rpc/
- source: salt://{{ slsdotpath }}/files/server/rpc
- user: root
- group: root
- file_mode: '0755'
- dir_mode: '0755'
{% endif %}

View File

@ -0,0 +1,9 @@
{#
SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
#}
base:
'*':
- sys-net.install-proxy

View File

@ -9,6 +9,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
include:
- utils.tools.common.update
- dotfiles.copy-x11
- sys-net.install-proxy
"{{ slsdotpath }}-installed":
pkg.installed:

View File

@ -12,6 +12,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
include:
- utils.tools.common.update
- sys-cacher.uninstall-client
- sys-net.install-proxy
- dotfiles.copy-x11
"{{ slsdotpath }}-installed":

View File

@ -20,8 +20,6 @@ include:
- install_recommends: False
- skip_suggestions: True
- pkgs:
- qubes-core-agent-networking
- ca-certificates
- socat
- man-db

View File

@ -20,8 +20,6 @@ include:
- install_recommends: False
- skip_suggestions: True
- pkgs:
- qubes-core-agent-networking
- ca-certificates
- socat
- man-db

View File

@ -9,6 +9,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
include:
- utils.tools.common.update
- sys-net.install-proxy
{#
"{{ slsdotpath }}-qvpn-group":