mirror of
https://github.com/ben-grande/qusal.git
synced 2024-12-24 06:59:26 -05:00
feat: add TCP proxy for remote hosts
Ideally, it would be a Qrexec socket service, but it doesn't handle DNS, only accepting IPs. The dev qube is now non-networked and network, especially to remote git repositories can be acquired via the proxy that is going to be installed in every netvm.
This commit is contained in:
parent
61e968cd7b
commit
a564b3a703
@ -20,6 +20,8 @@ include:
|
||||
- install_recommends: False
|
||||
- skip_suggestions: True
|
||||
- pkgs:
|
||||
- qubes-core-agent-networking
|
||||
- ca-certificates
|
||||
- ansible
|
||||
- ansible-lint
|
||||
- python3-argcomplete
|
||||
|
@ -30,6 +30,7 @@ present:
|
||||
prefs:
|
||||
- template: tpl-{{ slsdotpath }}
|
||||
- label: purple
|
||||
- netvm: ""
|
||||
- audiovm: ""
|
||||
- vcpus: 1
|
||||
- memory: 400
|
||||
@ -39,6 +40,7 @@ prefs:
|
||||
features:
|
||||
- enable:
|
||||
- service.split-gpg2-client
|
||||
- service.qusal-proxy-client
|
||||
- service.crond
|
||||
- disable:
|
||||
- service.cups
|
||||
|
@ -26,7 +26,6 @@ include:
|
||||
- pkgs:
|
||||
## Necessary
|
||||
- qubes-core-agent-passwordless-root
|
||||
- qubes-core-agent-networking
|
||||
- ca-certificates
|
||||
- git
|
||||
- gnupg2
|
||||
|
@ -12,32 +12,4 @@ include:
|
||||
- dotfiles.copy-x11
|
||||
- dotfiles.copy-ssh
|
||||
|
||||
"{{ slsdotpath }}-client-installed":
|
||||
pkg.installed:
|
||||
- require:
|
||||
- sls: utils.tools.common.update
|
||||
- install_recommends: False
|
||||
- skip_suggestions: True
|
||||
- pkgs:
|
||||
- qubes-core-agent-networking
|
||||
- ca-certificates
|
||||
- man-db
|
||||
|
||||
{% set pkg = {
|
||||
'Debian': {
|
||||
'pkg': ['openssh-client'],
|
||||
},
|
||||
'RedHat': {
|
||||
'pkg': ['openssh-clients'],
|
||||
},
|
||||
}.get(grains.os_family) -%}
|
||||
|
||||
"{{ slsdotpath }}-client-installed-os-specific":
|
||||
pkg.installed:
|
||||
- require:
|
||||
- sls: utils.tools.common.update
|
||||
- install_recommends: False
|
||||
- skip_suggestions: True
|
||||
- pkgs: {{ pkg.pkg|sequence|yaml }}
|
||||
|
||||
{% endif %}
|
||||
|
@ -8,6 +8,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
include:
|
||||
- utils.tools.common.update
|
||||
- sys-net.install-proxy
|
||||
|
||||
"{{ slsdotpath }}-installed":
|
||||
pkg.installed:
|
||||
|
37
salt/sys-net/files/server/rpc/qusal.ConnectTCP
Executable file
37
salt/sys-net/files/server/rpc/qusal.ConnectTCP
Executable file
@ -0,0 +1,37 @@
|
||||
#!/bin/sh
|
||||
|
||||
## SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
##
|
||||
## SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
## How to use with SSH?
|
||||
## On Dom0 Qrexec policy:
|
||||
## qusal.ConnectTCP +domain.tld+22 sshclient @default ask default_target=sshproxy
|
||||
## On Dom0, enable the "qusal-proxy-client" service for the client qube:
|
||||
## qvm-features sshclient service.qusal-proxy-client 1
|
||||
## On the SSH Proxy server (netvm of your liking), install this RPC service.
|
||||
## qubesctl --skip-dom0 --targets=sshproxy state.apply sys-net.install-proxy
|
||||
## On the client ssh configuration:
|
||||
## Match Exec "test -f /var/run/qubes-service/qusal-proxy-client"
|
||||
## ProxyCommand qrexec-client-vm @default qusal.ConnectTCP+%h+%p
|
||||
|
||||
set -eu
|
||||
|
||||
arg="${QREXEC_SERVICE_ARGUMENT}"
|
||||
host="${arg%%+*}"
|
||||
port="${arg##*+}"
|
||||
|
||||
if test -z "${port}" || test -z "${host}" || test "${port}" = "${host}"; then
|
||||
echo "Missing either host, port or both" >&2
|
||||
exit 1
|
||||
fi
|
||||
if test "${#host}" -gt 256; then
|
||||
echo "Host size exceeds limit" >&2
|
||||
exit 1
|
||||
fi
|
||||
if test "${#port}" -gt 5 || test "${port}" -gt 65535; then
|
||||
echo "Invalid port number, it must be between 1 and 65535" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
exec socat - "TCP:${host}:${port}"
|
32
salt/sys-net/install-proxy.sls
Normal file
32
salt/sys-net/install-proxy.sls
Normal file
@ -0,0 +1,32 @@
|
||||
{#
|
||||
SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#}
|
||||
|
||||
{% if grains['nodename'] != 'dom0' -%}
|
||||
|
||||
include:
|
||||
- utils.tools.common.update
|
||||
|
||||
"{{ slsdotpath }}-proxy-installed":
|
||||
pkg.installed:
|
||||
- require:
|
||||
- sls: utils.tools.common.update
|
||||
- install_recommends: False
|
||||
- skip_suggestions: True
|
||||
- pkgs:
|
||||
- socat
|
||||
|
||||
"{{ slsdotpath }}-proxy-rpc":
|
||||
file.recurse:
|
||||
- require:
|
||||
- pkg: "{{ slsdotpath }}-proxy-installed"
|
||||
- name: /etc/qubes-rpc/
|
||||
- source: salt://{{ slsdotpath }}/files/server/rpc
|
||||
- user: root
|
||||
- group: root
|
||||
- file_mode: '0755'
|
||||
- dir_mode: '0755'
|
||||
|
||||
{% endif %}
|
9
salt/sys-net/install-proxy.top
Normal file
9
salt/sys-net/install-proxy.top
Normal file
@ -0,0 +1,9 @@
|
||||
{#
|
||||
SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#}
|
||||
|
||||
base:
|
||||
'*':
|
||||
- sys-net.install-proxy
|
@ -9,6 +9,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
include:
|
||||
- utils.tools.common.update
|
||||
- dotfiles.copy-x11
|
||||
- sys-net.install-proxy
|
||||
|
||||
"{{ slsdotpath }}-installed":
|
||||
pkg.installed:
|
||||
|
@ -12,6 +12,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
include:
|
||||
- utils.tools.common.update
|
||||
- sys-cacher.uninstall-client
|
||||
- sys-net.install-proxy
|
||||
- dotfiles.copy-x11
|
||||
|
||||
"{{ slsdotpath }}-installed":
|
||||
|
@ -20,8 +20,6 @@ include:
|
||||
- install_recommends: False
|
||||
- skip_suggestions: True
|
||||
- pkgs:
|
||||
- qubes-core-agent-networking
|
||||
- ca-certificates
|
||||
- socat
|
||||
- man-db
|
||||
|
||||
|
@ -20,8 +20,6 @@ include:
|
||||
- install_recommends: False
|
||||
- skip_suggestions: True
|
||||
- pkgs:
|
||||
- qubes-core-agent-networking
|
||||
- ca-certificates
|
||||
- socat
|
||||
- man-db
|
||||
|
||||
|
@ -9,6 +9,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
include:
|
||||
- utils.tools.common.update
|
||||
- sys-net.install-proxy
|
||||
|
||||
{#
|
||||
"{{ slsdotpath }}-qvpn-group":
|
||||
|
Loading…
Reference in New Issue
Block a user