qusal/salt/dev/README.md
Ben Grande 06af125458
feat: clean dev installation
- git-send-email was implemented for a future RPC service for SMTP that
  was never created and can have some risks. As dev has no networking by
  default and the service was never created, removing it;
- git and gnupg already present in the included states;
- remove commented code; and
- move separate salt state to default installation as it only contains a
  single package that is not troublesome.
2024-07-02 12:20:47 +02:00

2.7 KiB

dev

Development environment in Qubes OS.

Table of Contents

Description

Setup a development qube named "dev". Defines the user interactive shell, installing goodies, applying dotfiles, being client of sys-pgp, sys-git and sys-ssh-agent. The qube has netvm but can reach remote servers if the policy allows.

Installation

  • Top
sudo qubesctl top.enable dev
sudo qubesctl --targets=tpl-dev,dvm-dev,dev state.apply
sudo qubesctl top.disable dev
proxy_target="$(qusal-report-updatevm-origin)"
if test -n "${proxy_target}"; then
  sudo qubesctl --skip-dom0 --targets="${proxy_target}" state.apply sys-net.install-proxy
fi
  • State
sudo qubesctl state.apply dev.create
sudo qubesctl --skip-dom0 --targets=tpl-dev state.apply dev.install
sudo qubesctl --skip-dom0 --targets=dvm-dev state.apply dev.configure-dvm
sudo qubesctl --skip-dom0 --targets=dev state.apply dev.configure
proxy_target="$(qusal-report-updatevm-origin)"
if test -n "${proxy_target}"; then
  sudo qubesctl --skip-dom0 --targets="${proxy_target}" state.apply sys-net.install-proxy
fi

If you want some Python goodies, you can install them:

sudo qubesctl --skip-dom0 --targets=tpl-dev state.apply dev.install-python-tools

The installation will make the Qusal TCP Proxy available in the updatevm (after it is restarted in case it is template based). If you want to have the proxy available on a netvm that is not deployed by Qusal, install the Qusal TCP proxy on the templates of your netvm:

sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-net.install-proxy

Remember to restart the netvms after the proxy installation for the changes to take effect.

Access Control

Default policy: denies all qubes from calling qusal.ConnectTCP

Allow qube dev to connect to github.com:22 via disp-sys-net but not to any other host or via any other qube:

qusal.ConnectTCP +github.com+22 dev @default allow target=disp-sys-net
qusal.ConnectTCP *              dev @anyvm   deny

Usage

The development qube dev can be used for:

  • code development;
  • building programs;
  • signing commits, tags, pushes and verifying with split-gpg;
  • fetching and pushing to and from local qube repository with split-git; and
  • fetching and pushing to and from remote repository with split-ssh-agent and without direct network connection, you can open port to the desired SSH or HTTP server.

As the dev qube has no netvm, configure the Qrexec policy to allow or ask calls to the qusal.ConnectTCP RPC service, so the qube can communicate with a remote repository for example.