From 02317020d3a6365f2bdb17e3f42ca9f7d824ac1f Mon Sep 17 00:00:00 2001 From: unman Date: Sat, 30 Jul 2022 12:05:19 +0000 Subject: [PATCH] More detailed descriptions --- cacher.spec | 10 +++++----- gpg.spec | 19 +++++++++++++++---- multimedia.spec | 28 ++++++++++++++++++++++++---- print.spec | 28 +++++++++++++++++++++++++++- qubes-ssh-agent.spec | 32 +++++++++++++++++++++++++++++--- 5 files changed, 100 insertions(+), 17 deletions(-) diff --git a/cacher.spec b/cacher.spec index ab18bc2..b1f3361 100644 --- a/cacher.spec +++ b/cacher.spec @@ -9,9 +9,9 @@ SOURCE0: cacher %description This package provides a caching proxy, named cacher. A caching proxy stores downloaded packages, so that you need only download -a package once for it to be used when updating many templates. + a package once for it to be used when updating many templates. The proxy is preconfigured to work out of the box for Debian, Ubuntu, -Arch, and Fedora templates. + Arch, and Fedora templates. When you install this package your Qubes system will be altered to use the proxy by default. @@ -23,9 +23,9 @@ So that you can use https:// in your repository definitions, the entries will be changed in the templates. https:// becomes http://HTTPS/// This is so that the request to the proxy is plain text, and the proxy -will then make the request via https + will then make the request via https This change will be done automatically for every template that exists -when you install this package. + when you install this package. If you install a new template, you must make this configuration change. In dom0 run: @@ -33,7 +33,7 @@ when you install this package. replacing TEMPLATE with the name of the new template. If you want to use the standard proxy, you have to revert this change, -as well as editing the policy file. + as well as editing the policy file. In dom0 run: qubesctl --skip-dom0 --targets=TEMPLATE state.apply cacher.restore_templates replacing TEMPLATE with the name of the new template. diff --git a/gpg.spec b/gpg.spec index 3945ef2..af26fae 100644 --- a/gpg.spec +++ b/gpg.spec @@ -1,13 +1,24 @@ Name: 3isec-qubes-split-gpg -Version: 2.0 +Version: 2.0 Release: 1%{?dist} -Summary: Salt split-gpg template in Qubes +Summary: split-gpg in Qubes License: GPLv3+ -SOURCE0: gpg +SOURCE0: gpg %description -Salt state to implement split-gpg in Qubes + This package set up split-gpg in Qubes. + split-gpg allows you to store your pgp keys in one qube, and access them from another. + Full details are at https://www.qubes-os.org/doc/split-gpg/ + +When you install this package a template will be created, and a qube +named sys-gpg to hold the keys. +You can create more than one qube to hold keys if you want. +The system will be configured to use the sys-gpg qube by default. +This is done with an entry in /etc/qubes/policy.d/30-user.policy +If you want to change the setting for some/all qubes, edit +that file. + %install rm -rf %{buildroot} diff --git a/multimedia.spec b/multimedia.spec index 7527c25..ef1f1b7 100644 --- a/multimedia.spec +++ b/multimedia.spec @@ -1,13 +1,33 @@ Name: 3isec-qubes-sys-multimedia -Version: 2.1 +Version: 2.1 Release: 1%{?dist} -Summary: Salt multimedia template and qubes +Summary: creates multimedia template and qubes License: GPLv3+ -SOURCE0: multimedia +SOURCE0: multimedia %description -Salt state for multimedia template and qubes + + This package sets up qubes to work mith multimedia files in Qubes. + By default a qube named "media" is created, and configured so that any + multimedia files are opened in a named disposable called "multimedia". + This provides some measure of protection when working with untrusted files. + +The media qube is offline by default. +The multimedia disposable is offline by default. +You can change this if you wish, but be aware that this may result in +data leakage. + +The idea is that you organise and store media files in the media qube. +Opening a file in that qube will open the multimedia disposable and play +the file there. +You can also use the multimedia disposable from any other qube, or use the +disposable template to create more disposables with different settings - +perhaps online, or restricted to certain IP addresses. +Access to the multimedia file is controlled from the policy file in +/etc/qubes/policy.d/30-user.policy + + %install rm -rf %{buildroot} diff --git a/print.spec b/print.spec index f7434ff..8fa9aff 100644 --- a/print.spec +++ b/print.spec @@ -7,7 +7,33 @@ License: GPLv3+ SOURCE0: print %description -Salt state to implement a printer qube +This package sets up a qube called sys-print, to be used for system-wide +printing in Qubes. + +You configure sys-print to access your printer, and then print from any +other qube by accessing sys-print. +If you have a USB printer you will need to configure sys-print with +(at least) one of your USB controllers. +If you have a network printer, you should be able to set up from +sys-print, and then print from offline qubes. +You should restrict access from sys-print to the IP of the printer using +qubes firewall. + +You can create more than one qube to act as a printer qube if you want. +The system will be configured to use the sys-printer qube by default. +This is done with an entry in /etc/qubes/policy.d/30-user.policy +If you want to change the setting for some/all qubes, edit +that file. + +A specific service called qubes.Print is created. +You have to configure your qubes to use that service, and a helper script +is provided. +In dom0, run: + sudo qubesctl --skip-dom0 --targets=NAMES state.apply print.print_client + +Removing this package will NOT delete the qubes, but will remove the +entry in /etc/qubes/policy.d/30-user.policy. + %install rm -rf %{buildroot} diff --git a/qubes-ssh-agent.spec b/qubes-ssh-agent.spec index 56d62a6..f518011 100644 --- a/qubes-ssh-agent.spec +++ b/qubes-ssh-agent.spec @@ -1,13 +1,39 @@ Name: 3isec-qubes-sys-ssh-agent Version: 1.1 Release: 1%{?dist} -Summary: Salt a service qube to hold ssh-agents +Summary: Create a service qube to hold ssh-agents License: GPLv3+ -SOURCE0: qubes-ssh-agent +SOURCE0: qubes-ssh-agent %description -Salt state to implement a service qube to hold ssh-agents +This package sets up a qube called sys-ssh-agent, to hold ssh keys. +It is ideal for use cases where you have a number of key pairs, which +are used by different qubes. + +The keypairs are stored in the offline sys-ssh-agent server, and requests +are passed from clients to the server via qrexec. +Clients may access the same ssh-agent, or access different agents. +Access is controlled via dom0 policy file, /etc/qubes/policy.d/30-user.policy + +The client does not know the identity of the ssh-agent server, nor are +keys kept in memory in the client. +All configuration of keys, and unlocking of keys, where they are password +protected, is done in the ssh-agent server, using standard ssh-agent +controls. +Keys can be selectively allocated to different ssh-agents. +You can create multiple ssh-agents holding different combination of ssh keys. +This allow you to access different key sets from different qubes. +By default an ssh-agent called "work" is provided in sys-ssh-agent. +Helper scripts are provided to create new ssh-agents. + +You can create other qubes to hold other ssh-agents if you want, for +maximum compartmentalisation. +Simply clone sys-ssh-agent and edit the ssh-agents. + +Removing this package will NOT delete the qubes, but will remove the +entry in /etc/qubes/policy.d/30-user.policy. + %install rm -rf %{buildroot}