More detailed descriptions

This commit is contained in:
unman 2022-07-30 12:05:19 +00:00
parent 20ae3c1dfd
commit 02317020d3
No known key found for this signature in database
GPG Key ID: FDD1B8244731B36C
5 changed files with 100 additions and 17 deletions

View File

@ -9,9 +9,9 @@ SOURCE0: cacher
%description %description
This package provides a caching proxy, named cacher. This package provides a caching proxy, named cacher.
A caching proxy stores downloaded packages, so that you need only download A caching proxy stores downloaded packages, so that you need only download
a package once for it to be used when updating many templates. a package once for it to be used when updating many templates.
The proxy is preconfigured to work out of the box for Debian, Ubuntu, The proxy is preconfigured to work out of the box for Debian, Ubuntu,
Arch, and Fedora templates. Arch, and Fedora templates.
When you install this package your Qubes system will be altered to use When you install this package your Qubes system will be altered to use
the proxy by default. the proxy by default.
@ -23,9 +23,9 @@ So that you can use https:// in your repository definitions, the entries
will be changed in the templates. will be changed in the templates.
https:// becomes http://HTTPS/// https:// becomes http://HTTPS///
This is so that the request to the proxy is plain text, and the proxy This is so that the request to the proxy is plain text, and the proxy
will then make the request via https will then make the request via https
This change will be done automatically for every template that exists This change will be done automatically for every template that exists
when you install this package. when you install this package.
If you install a new template, you must make this configuration change. If you install a new template, you must make this configuration change.
In dom0 run: In dom0 run:
@ -33,7 +33,7 @@ when you install this package.
replacing TEMPLATE with the name of the new template. replacing TEMPLATE with the name of the new template.
If you want to use the standard proxy, you have to revert this change, If you want to use the standard proxy, you have to revert this change,
as well as editing the policy file. as well as editing the policy file.
In dom0 run: In dom0 run:
qubesctl --skip-dom0 --targets=TEMPLATE state.apply cacher.restore_templates qubesctl --skip-dom0 --targets=TEMPLATE state.apply cacher.restore_templates
replacing TEMPLATE with the name of the new template. replacing TEMPLATE with the name of the new template.

View File

@ -1,13 +1,24 @@
Name: 3isec-qubes-split-gpg Name: 3isec-qubes-split-gpg
Version: 2.0 Version: 2.0
Release: 1%{?dist} Release: 1%{?dist}
Summary: Salt split-gpg template in Qubes Summary: split-gpg in Qubes
License: GPLv3+ License: GPLv3+
SOURCE0: gpg SOURCE0: gpg
%description %description
Salt state to implement split-gpg in Qubes This package set up split-gpg in Qubes.
split-gpg allows you to store your pgp keys in one qube, and access them from another.
Full details are at https://www.qubes-os.org/doc/split-gpg/
When you install this package a template will be created, and a qube
named sys-gpg to hold the keys.
You can create more than one qube to hold keys if you want.
The system will be configured to use the sys-gpg qube by default.
This is done with an entry in /etc/qubes/policy.d/30-user.policy
If you want to change the setting for some/all qubes, edit
that file.
%install %install
rm -rf %{buildroot} rm -rf %{buildroot}

View File

@ -1,13 +1,33 @@
Name: 3isec-qubes-sys-multimedia Name: 3isec-qubes-sys-multimedia
Version: 2.1 Version: 2.1
Release: 1%{?dist} Release: 1%{?dist}
Summary: Salt multimedia template and qubes Summary: creates multimedia template and qubes
License: GPLv3+ License: GPLv3+
SOURCE0: multimedia SOURCE0: multimedia
%description %description
Salt state for multimedia template and qubes
This package sets up qubes to work mith multimedia files in Qubes.
By default a qube named "media" is created, and configured so that any
multimedia files are opened in a named disposable called "multimedia".
This provides some measure of protection when working with untrusted files.
The media qube is offline by default.
The multimedia disposable is offline by default.
You can change this if you wish, but be aware that this may result in
data leakage.
The idea is that you organise and store media files in the media qube.
Opening a file in that qube will open the multimedia disposable and play
the file there.
You can also use the multimedia disposable from any other qube, or use the
disposable template to create more disposables with different settings -
perhaps online, or restricted to certain IP addresses.
Access to the multimedia file is controlled from the policy file in
/etc/qubes/policy.d/30-user.policy
%install %install
rm -rf %{buildroot} rm -rf %{buildroot}

View File

@ -7,7 +7,33 @@ License: GPLv3+
SOURCE0: print SOURCE0: print
%description %description
Salt state to implement a printer qube This package sets up a qube called sys-print, to be used for system-wide
printing in Qubes.
You configure sys-print to access your printer, and then print from any
other qube by accessing sys-print.
If you have a USB printer you will need to configure sys-print with
(at least) one of your USB controllers.
If you have a network printer, you should be able to set up from
sys-print, and then print from offline qubes.
You should restrict access from sys-print to the IP of the printer using
qubes firewall.
You can create more than one qube to act as a printer qube if you want.
The system will be configured to use the sys-printer qube by default.
This is done with an entry in /etc/qubes/policy.d/30-user.policy
If you want to change the setting for some/all qubes, edit
that file.
A specific service called qubes.Print is created.
You have to configure your qubes to use that service, and a helper script
is provided.
In dom0, run:
sudo qubesctl --skip-dom0 --targets=NAMES state.apply print.print_client
Removing this package will NOT delete the qubes, but will remove the
entry in /etc/qubes/policy.d/30-user.policy.
%install %install
rm -rf %{buildroot} rm -rf %{buildroot}

View File

@ -1,13 +1,39 @@
Name: 3isec-qubes-sys-ssh-agent Name: 3isec-qubes-sys-ssh-agent
Version: 1.1 Version: 1.1
Release: 1%{?dist} Release: 1%{?dist}
Summary: Salt a service qube to hold ssh-agents Summary: Create a service qube to hold ssh-agents
License: GPLv3+ License: GPLv3+
SOURCE0: qubes-ssh-agent SOURCE0: qubes-ssh-agent
%description %description
Salt state to implement a service qube to hold ssh-agents This package sets up a qube called sys-ssh-agent, to hold ssh keys.
It is ideal for use cases where you have a number of key pairs, which
are used by different qubes.
The keypairs are stored in the offline sys-ssh-agent server, and requests
are passed from clients to the server via qrexec.
Clients may access the same ssh-agent, or access different agents.
Access is controlled via dom0 policy file, /etc/qubes/policy.d/30-user.policy
The client does not know the identity of the ssh-agent server, nor are
keys kept in memory in the client.
All configuration of keys, and unlocking of keys, where they are password
protected, is done in the ssh-agent server, using standard ssh-agent
controls.
Keys can be selectively allocated to different ssh-agents.
You can create multiple ssh-agents holding different combination of ssh keys.
This allow you to access different key sets from different qubes.
By default an ssh-agent called "work" is provided in sys-ssh-agent.
Helper scripts are provided to create new ssh-agents.
You can create other qubes to hold other ssh-agents if you want, for
maximum compartmentalisation.
Simply clone sys-ssh-agent and edit the ssh-agents.
Removing this package will NOT delete the qubes, but will remove the
entry in /etc/qubes/policy.d/30-user.policy.
%install %install
rm -rf %{buildroot} rm -rf %{buildroot}