qusal/salt/sys-git
Ben Grande b52e4b1b63 fix: strict split-gpg2 service
Split-gpg V1 allowed for querying public keys, but as split-gpg2 is
running as an agent, public keys are not queried. Allowing connection to
the server to query only public parts of the key exposes the server more
than needed to the client.

All clients now have to hold the public key they need locally in order
to do GPG operations.
2023-12-28 11:47:41 +01:00
..
files fix: dom0 qrexec call target qube 2023-12-21 22:38:32 +01:00
clone.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
clone.top refactor: initial commit 2023-11-13 14:33:28 +00:00
configure.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
configure.top refactor: initial commit 2023-11-13 14:33:28 +00:00
create.sls fix: strict split-gpg2 service 2023-12-28 11:47:41 +01:00
create.top refactor: initial commit 2023-11-13 14:33:28 +00:00
init.top refactor: initial commit 2023-11-13 14:33:28 +00:00
install-client.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
install-client.top refactor: initial commit 2023-11-13 14:33:28 +00:00
install.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
install.top refactor: initial commit 2023-11-13 14:33:28 +00:00
README.md refactor: initial commit 2023-11-13 14:33:28 +00:00

sys-git

Git operations through Qrexec in Qubes OS.

Table of Contents

Description

Setup a Git server called "sys-git", an offline Git Server that can be accessed from client qubes via Qrexec. Access control via Qrexec policy can restrict access to certain repositories, set of git actions for Fetch, Push and Init. This is an implementation of split-git.

Alternatives comparison

The following alternatives will be compared against each other and this implementation:

sys-git git-remote-qubes qubes-app-split-git git-connection-between-vms
Codebase Size Small Large Large Small
Custom Protocol True True True False
Path Repository Absolute Repository Repository
Repository restriction True False True True
No hanging True True True False
Fetch True True True (only tags) True
Push True True False True
Init True False False False
Validates Git communication False False True False
Verifies tag signature False False True False

Installation

  • Top
qubesctl top.enable sys-git
qubesctl --targets=tpl-sys-git,sys-git state.apply
qubesctl top.disable sys-git
  • State
qubesctl state.apply sys-git.create
qubesctl --skip-dom0 --targets=tpl-sys-git state.apply sys-git.install
qubesctl --skip-dom0 --targets=sys-git state.apply sys-git.configure

Installation on the client template:

qubesctl --skip-dom0 --targets=tpl-dev state.apply sys-git.install-client

Access control

Default policy: any qube can ask via the @default target if you allow it to Fetch from, Push to and Init on sys-git.

Recommended usage:

  • Init: Argument useful when allowing a qube to always create a repository on the server.
  • Fetch: Fetch can be allowed by less trusted qubes.
  • Push: Push should only be made by trusted qubes.

Allow qube dev to Fetch from sys-git, but ask to Push and Init:

qusal.GitFetch * dev @default allow target=sys-git
qusal.GitPush  * dev @default ask   target=sys-git default_target=sys-git
qusal.GitInit  * dev @default ask   target=sys-git default_target=sys-git
qusal.GitFetch * dev @anyvm   deny
qusal.GitPush  * dev @anyvm   deny
qusal.GitInit  * dev @anyvm   deny

Allow qube untrusted to Fetch repo if using target name sys-git but deny Push and Init to any other qube:

qusal.GitFetch +repo untrusted sys-git ask target=sys-git default_target=sys-git
qusal.GitFetch *     untrusted @anyvm  deny
qusal.GitPush  *     untrusted @anyvm  deny
qusal.GitInit  *     untrusted @anyvm  deny

Deny Fetch, Push and Init from any qube to any other qube:

qusal.GitFetch *     @anyvm @anyvm deny
qusal.GitPush  *     @anyvm @anyvm deny
qusal.GitInit  *     @anyvm @anyvm deny

Usage

Initialize the server repository

There are a few constraints regarding repositories:

  • Must be created under /home/user/src in sys-git;
  • Names must have only letters, numbers, hyphen, underscore and dot. Must not begin or end with dot, hyphen and underscore.

In sys-git, create bare repositories under /home/user/src.

From the server:

git init --bare ~/src/X.git

You must use the .git prefix to indicate a bare repository.

Or from the client, if the qusal.GitInit policy allows:

cd ~/path/to/repo
git init-qrexec

Prepare the client

Qrexec protocol is supported with the following URL format: qrexec://<QUBE>/<REPO>, where the <QUBE> field can be a literal name or token and the <REPO> field is the name of the repository that exists on sys-git under /home/user/src.

Clone an existing repository:

git clone qrexec://@default/qubes-doc

Or Initialize a new repository:

git init qubes-doc
cd qubes-doc

Add a remote using the Qrexec protocol:

git remote add sg qrexec://@default/qubes-doc

Test fetching from the newly added remote:

git fetch sg

Make changes to the git repository as you normally would on any system.

Push to the server and set it as the default upstream:

git push -u sg main

Following pushes will be simpler:

git push

Credits