qusal/salt/sys-rsync
Ben Grande f9ead06408 fix: remove extraneous package repository updates
Updates happens multiple times, normally 2 to 3, even if we consider a
state without includes. On states with multiple includes, it could
easily get approximately 10 updates being ran. This behavior leads to
unnecessary network bandwidth being spent and more time to run the
installation state. When the connection is slow and not using the
cacher, such as torified connections on Whonix, the installation can
occurs much faster.

Adding external repositories has to be done prior to update to ensure it
is also fetched.

Fixes: https://github.com/ben-grande/qusal/issues/29
2024-03-18 17:51:36 +01:00
..
files refactor: move appended states to drop-in rc.local 2023-12-19 22:50:59 +01:00
clone.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
clone.top refactor: initial commit 2023-11-13 14:33:28 +00:00
configure.sls refactor: move appended states to drop-in rc.local 2023-12-19 22:50:59 +01:00
configure.top refactor: initial commit 2023-11-13 14:33:28 +00:00
create.sls chore: copyright update 2024-01-29 16:49:54 +01:00
create.top refactor: initial commit 2023-11-13 14:33:28 +00:00
init.top refactor: initial commit 2023-11-13 14:33:28 +00:00
install-client.sls fix: remove extraneous package repository updates 2024-03-18 17:51:36 +01:00
install-client.top refactor: initial commit 2023-11-13 14:33:28 +00:00
install.sls fix: remove extraneous package repository updates 2024-03-18 17:51:36 +01:00
install.top refactor: initial commit 2023-11-13 14:33:28 +00:00
README.md doc: prefix qubesctl with sudo 2024-02-23 16:55:11 +01:00

sys-rsync

Rsync over Qrexec in Qubes OS.

Table of Contents

Description

Creates a Rsync server qube named "sys-rsync" to be a central document store to which other qubes have access. This is a simple tool that allows individual qubes read/write access to the store using Rsync, rather than using qvm-copy or qvm-move.

The greatest problem with SSH is that with large file system, it can freeze or be very slow to navigate the directories (not so much with Qrexec as the connection does not go over the network) and chroots need to be configured by the user.

Installation

  • Top:
sudo qubesctl top.enable sys-rsync
sudo qubesctl --targets=tpl-sys-rsync,sys-rsync state.apply
sudo qubesctl top.disable sys-rsync
  • State:
sudo qubesctl state.apply sys-rsync.create
sudo qubesctl --skip-dom0 --targets=tpl-sys-rsync state.apply sys-rsync.install
sudo qubesctl --skip-dom0 --targets=sys-rsync state.apply sys-rsync.configure

Install on the client template:

sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-rsync.install-client

The client qube requires the Rsync forwarder service to be enabled:

qvm-features QUBE service.rsync-setup 1

Access Control

A qusal.Rsync service is created to allow use of Rsync over Qrexec. The default policy asks if you want to connect with the sys-rsync qube.

If you want to allow Rsync between qubes, insert in you user policy file /etc/qubes/policy.d/30-user.policy to allow the service using the following format:

qusal.Rsync * SOURCE @default allow target=TARGET

When the client can change the data on the server, it can also possibly compromise the server or at least make it hold malicious files and propagate the malicious data with client it is connected to.

Usage

Server

The default setting is to have a read/write store at /home/user/shared, and a read-only directory at /home/user/archive. All the usual Rsync configuration options are available and you can create other shared directories at will. Additional configuration can be made by editing .conf files in /usr/local/etc/rsync.d/*.conf. Because access appears to come from localhost, host control directives will not work.

If you have more than one rsync server qube, you can use bind-dirs to change the available folders on each server qube.

Client

The Rsync connection is available with the socket localhost:1839.

Rsync the server shared read/write directory:

rsync --port=1839 localhost::shared /LOCAL/PATH/TO/RSYNC

Rsync the server archive read-only directory:

rsync --port=1839 localhost::archive /LOCAL/PATH/TO/RSYNC

Credits