doc: document usage of qusal TCP proxy

2024-10-01 02:35:49 -04:00 · 2024-06-14 07:42:18 +02:00 · 2024-06-14 07:42:18 +02:00 · afcb73085f
commit afcb73085f
parent e1a15d8a7e
2 changed files with 18 additions and 2 deletions
--- a/salt/dev/README.md
+++ b/salt/dev/README.md
@ -12,7 +12,8 @@ Development environment in Qubes OS.

 Setup a development qube named "dev". Defines the user interactive shell,
 installing goodies, applying dotfiles, being client of sys-pgp, sys-git and
-sys-ssh-agent.
+sys-ssh-agent. The qube has netvm but can reach remote servers if the policy
+allows.

 ## Installation

@ -41,4 +42,9 @@ The development qube `dev` can be used for:
 - building programs;
 - signing commits, tags, pushes and verifying with split-gpg;
 - fetching and pushing to and from local qube repository with split-git; and
- fetching and pushing to and from remote repository with split-ssh-agent.
+- fetching and pushing to and from remote repository with split-ssh-agent and
+  without direct network connection, you can open port to the desired SSH or
+  HTTP server.
+
+As the qube has no netvm, configure the `qusal.ConnectTCP` service to allow
+for it to communicate with a remote repository for example.
--- a/salt/sys-net/README.md
+++ b/salt/sys-net/README.md
@ -59,6 +59,16 @@ sudo qubesctl state.apply sys-net.prefs
 You might need to install some firmware on the template for your network
 drivers. Check files/admin/firmware.txt.

+## Access control
+
+_Default policy_: every call is denied.
+
+Qube `dev` can ask to connect to `github.com:22` from `disp-sys-net`:
+```qrexecpolicy
+qusal.ConnectTCP +github.com+22 dev @default ask target=disp-sys-net
+qusal.ConnectTCP *              dev @anyvm   deny
+```
+
 ## Usage

 A network manager is provided in `sys-net`, from there you can manager Wi-Fi