refactor: initial commit

salt/sys-ssh/files/admin/policy/default.policy

@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+## Do not modify this file, create a new policy with with a lower number in the
+## file name instead. For example `30-user.policy`.
+qusal.Ssh * @anyvm @default ask target={{ sls_path }} default_target={{ sls_path }}
+qusal.Ssh * @anyvm @anyvm   deny
+## vim:ft=qrexecpolicy

salt/sys-ssh/files/client/systemd/qubes-ssh-forwarder.socket

@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+[Unit]
+Description=Forward connection to SSH over Qrexec
+ConditionPathExists=/var/run/qubes-service/ssh-setup
+
+[Socket]
+ListenStream=127.0.0.1:840
+BindToDevice=lo
+Accept=true
+
+[Install]
+WantedBy=multi-user.target

salt/sys-ssh/files/client/systemd/qubes-ssh-forwarder@.service

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+[Unit]
+Description=Forward connection to SSH over Qrexec
+
+[Service]
+ExecStart=/usr/bin/qrexec-client-vm @default qusal.Ssh
+StandardInput=socket
+StandardOutput=inherit

salt/sys-ssh/files/server/rc.local

@@ -0,0 +1,2 @@
+systemctl unmask ssh
+systemctl --no-block restart ssh

salt/sys-ssh/files/server/rpc/qusal.Ssh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+set -eu
+
+exec socat STDIO TCP:localhost:22

salt/sys-ssh/files/server/sshd_config.d/sys-ssh.conf

@@ -0,0 +1,9 @@
+# vim: ft=sshdconfig
+
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+Match User user Host 127.0.0.1
+      PermitEmptyPasswords yes
+      AuthenticationMethods none