mirror of
https://github.com/ben-grande/qusal.git
synced 2024-12-28 08:59:32 -05:00
feat: install Qusal TCP Proxy on updatevm's origin
Document qusal.ConnectTCP in dev's Access Control as it defaults to deny and causes confusion to users why it doesn't work by default. This is an exception of the rule that a formula cannot document the RPC service of another formula to avoid duplication.
This commit is contained in:
parent
c2fc4b524a
commit
eb3a8ab324
@ -6,6 +6,7 @@ Development environment in Qubes OS.
|
||||
|
||||
* [Description](#description)
|
||||
* [Installation](#installation)
|
||||
* [Access Control](#access-control)
|
||||
* [Usage](#usage)
|
||||
|
||||
## Description
|
||||
@ -22,6 +23,10 @@ allows.
|
||||
sudo qubesctl top.enable dev
|
||||
sudo qubesctl --targets=tpl-dev,dvm-dev,dev state.apply
|
||||
sudo qubesctl top.disable dev
|
||||
proxy_target="$(qusal-report-updatevm-origin)"
|
||||
if test -n "${proxy_target}"; then
|
||||
sudo qubesctl --skip-dom0 --targets="${proxy_target}" state.apply sys-net.install-proxy
|
||||
fi
|
||||
```
|
||||
|
||||
- State
|
||||
@ -31,9 +36,35 @@ sudo qubesctl state.apply dev.create
|
||||
sudo qubesctl --skip-dom0 --targets=tpl-dev state.apply dev.install
|
||||
sudo qubesctl --skip-dom0 --targets=dvm-dev state.apply dev.configure-dvm
|
||||
sudo qubesctl --skip-dom0 --targets=dev state.apply dev.configure
|
||||
proxy_target="$(qusal-report-updatevm-origin)"
|
||||
if test -n "${proxy_target}"; then
|
||||
sudo qubesctl --skip-dom0 --targets="${proxy_target}" state.apply sys-net.install-proxy
|
||||
fi
|
||||
```
|
||||
<!-- pkg:end:post-install -->
|
||||
|
||||
The installation will make the Qusal TCP Proxy available in the `updatevm`
|
||||
(after it is restarted in case it is template based). If you want to have the
|
||||
proxy available on a `netvm` that is not deployed by Qusal, install the Qusal
|
||||
TCP proxy on the templates of your `netvm`:
|
||||
```sh
|
||||
sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-net.install-proxy
|
||||
```
|
||||
|
||||
Remember to restart the `netvms` after the proxy installation for the changes
|
||||
to take effect.
|
||||
|
||||
## Access Control
|
||||
|
||||
_Default policy_: `denies` `all` qubes from calling `qusal.ConnectTCP`
|
||||
|
||||
Allow qube `dev` to `connect` to `github.com:22` via `disp-sys-net` but not to
|
||||
any other host or via any other qube:
|
||||
```qrexecpolicy
|
||||
qusal.ConnectTCP +github.com+22 dev @default allow target=disp-sys-net
|
||||
qusal.ConnectTCP * dev @anyvm deny
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
The development qube `dev` can be used for:
|
||||
|
@ -8,6 +8,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
include:
|
||||
- .clone
|
||||
- sys-net.show-updatevm-origin
|
||||
|
||||
{% load_yaml as defaults -%}
|
||||
name: tpl-{{ slsdotpath }}
|
||||
|
@ -14,3 +14,6 @@ base:
|
||||
- dev.configure-dvm
|
||||
'dev':
|
||||
- dev.configure
|
||||
'(I@qubes:type:template or I@qubes:type:standalone) and (G@kernel:Linux or G@kernel:*BSD)':
|
||||
- match: compound
|
||||
- sys-net.install-proxy
|
||||
|
@ -10,6 +10,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
include:
|
||||
- .clone
|
||||
- .show-updatevm-origin
|
||||
|
||||
{% load_yaml as defaults -%}
|
||||
name: tpl-{{ slsdotpath }}
|
||||
|
21
salt/sys-net/files/admin/bin/qusal-report-updatevm-origin
Executable file
21
salt/sys-net/files/admin/bin/qusal-report-updatevm-origin
Executable file
@ -0,0 +1,21 @@
|
||||
#!/bin/sh
|
||||
|
||||
## SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
##
|
||||
## SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
set -eu
|
||||
|
||||
updatevm="$(qubes-prefs updatevm)"
|
||||
updatevm_class="$(qvm-prefs "${updatevm}" klass)"
|
||||
proxy_target=""
|
||||
case "${updatevm_class}" in
|
||||
StandaloneVM) proxy_target="${updatevm}";;
|
||||
AppVM) proxy_target="$(qvm-prefs "${updatevm}" template)";;
|
||||
DispVM)
|
||||
proxy_target="$(qvm-prefs "$(qvm-prefs "${updatevm}" template)" template)"
|
||||
;;
|
||||
esac
|
||||
if test -n "${proxy_target}"; then
|
||||
echo "${proxy_target}"
|
||||
fi
|
14
salt/sys-net/show-updatevm-origin.sls
Normal file
14
salt/sys-net/show-updatevm-origin.sls
Normal file
@ -0,0 +1,14 @@
|
||||
{#
|
||||
SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#}
|
||||
|
||||
"{{ slsdotpath }}-get-updatevm-origin":
|
||||
file.managed:
|
||||
- name: /usr/local/bin/qusal-report-updatevm-origin
|
||||
- source: salt://{{ slsdotpath }}/files/admin/bin/qusal-report-updatevm-origin
|
||||
- mode: "0755"
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
10
salt/sys-net/show-updatevm-origin.top
Normal file
10
salt/sys-net/show-updatevm-origin.top
Normal file
@ -0,0 +1,10 @@
|
||||
{#
|
||||
SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#}
|
||||
|
||||
base:
|
||||
'dom0':
|
||||
- match: nodegroup
|
||||
- sys-net.show-updatevm-origin
|
Loading…
Reference in New Issue
Block a user