diff --git a/cacher/README b/cacher/README index a5552f3..e0954f2 100644 --- a/cacher/README +++ b/cacher/README @@ -10,81 +10,23 @@ qubesctl --skip-dom0 --targets=cacher state.apply cacher.configure To automatically use the proxy run: qubesctl state.apply cacher.use -This will configure /etc/qubes/policy.d/30-user.policy to use the caching proxy be default. +This will configure /etc/qubes/policy.d/30-user.policy to use the caching proxy by default. apt-cacher-ng will cache HTTPS requests if you change https:// to http://HTTPS/// in repo source lists. -To configure the templates to use the proxy in this way, run: -qubesctl --skip-dom0 --targets=Templates state.apply cacher.change_templates.sls -Or target individual templates, as you wish. +To configure all templates to use the proxy in this way, run: +qubesctl --skip-dom0 --templates state.apply cacher.change_templates +Or target individual templates, as you wish: +qubesctl --skip-dom0 --targets=TEMPLATE1,TEMPLATE2 state.apply cacher.change_templates + N.B apt-cacher-ng works well for Debian,Ubuntu,and Arch. -It works reasonably well for Fedora, but may require tweaking of the apt-cacher-ng control file, and the fedora_mirrors lists. +It works reasonably well for Fedora, but may require further tweaking of the apt-cacher-ng control file, and the fedora_mirrors lists. -Using apt-cacher-ng as caching proxy. +To restore a template to the default state, a state is provided, restore_templates.sls. +Apply it like this: +qubesctl --skip-dom0 --targets=TEMPLATE1,TEMPLATE2 state.apply cacher.restore_templates -1. INSTALL AND CONFIGURE -apt-get install apt-cacher-ng, and mask in the template. -systemctl mask apt-cacher-ng - -Create qube and give it plenty of space. - -In caching qube, use bind-dirs: -binds+=( '/var/cache/apt-cacher-ng' ) -binds+=( '/var/log/apt-cacher-ng' ) -binds+=( '/etc/apt-cacher-ng' ) - -Use /rw/config/rc.local to start the apt-cacher-ng service: -systemctl unmask apt-cacher-ng -systemctl start apt-cacher-ng -/sbin/iptables -I INPUT -p tcp --dport 8082 -j ACCEPT - -Edit /etc/apt-cacher-ng/acng.conf: -Port:8082 - -Restart service. - -Set this as updateProxy in /etc/qubes-rpc/policy/qubes.UpdatesProxy - -Debian templates will use this for updates with no further configuration. +The qrexec policy file at /etc/qubes/policy.d/30-user.policy should be edited so that these templates use the default system proxy. -2. FEDORA SUPPORT for build machines. -There is a mirrors list in /usr/lib/apt-cacher-ng/ -Copy fedora_mirrors to /etc/apt-cacher-ng - -Edit /etc/apt-cacher-ng/acng.conf: -Remap-fedora: file:fedora_mirrors - -If requests fail because the file type is not allowed, create a pattern for -volatile data: -VfilePatternEx: .*metalink?repo=fedora* - - -3. TLS SUPPORT: -Two methods: -a. -Create new file in /etc/apt-cacher-ng/backends_qubes: -https://yum.qubes-os.org/ - -Edit /etc/apt-cacher-ng/acng.conf: -Remap-qubes: http://fake.qubes ; file:backends_qubes - -Then in /etc/yum/yum.repos.d, change the repository URL to -http://fake.qubes/...... - -Now the qube will use HTTP to the proxy which will use TLS to pick up the -packages and cache any responses. - -b. -Change the repository definition FROM: -https://yum.qubes-os.org/ -TO: -http://HTTPS///yum.qubes-os.org/ - -Without any other changes to the apt-cacher configuration the qube will -use HTTP to the proxy which will use TLS to pick up the packages and -cache any responses. - -This is the recommended approach. -Salt states, change_templates.sls, and restore_templates.sls, are provided to configure templates to use this scheme. diff --git a/cacher/change_templates.sls b/cacher/change_templates.sls index 3e7fae6..a6597f0 100644 --- a/cacher/change_templates.sls +++ b/cacher/change_templates.sls @@ -10,6 +10,8 @@ - pattern: 'https://' - repl: 'http://HTTPS///' - flags: [ 'IGNORECASE', 'MULTILINE' ] + - backup: False + {% endfor %} /etc/apt/sources.list: @@ -18,6 +20,7 @@ - pattern: 'https:' - repl: 'http://HTTPS/' - flags: [ 'IGNORECASE', 'MULTILINE' ] + - backup: False {% elif grains['os_family']|lower == 'arch' %} pacman: @@ -28,21 +31,24 @@ - pattern: 'https:' - repl: 'http://HTTPS/' - flags: [ 'IGNORECASE', 'MULTILINE' ] + - backup: False {% elif grains['os_family']|lower == 'redhat' %} {% for repo in salt['file.find']('/etc/yum.repos.d/', name='*repo*') %} {{ repo }}_baseurl: file.replace: - name: {{ repo }} - - pattern: 'baseurl=https://' - - repl: 'baseurl=http://HTTPS///' + - pattern: 'baseurl(.*)https://' + - repl: 'baseurl\1http://HTTPS///' - flags: [ 'IGNORECASE', 'MULTILINE' ] + - backup: False {{ repo }}_metalink: file.replace: - name: {{ repo }} - pattern: 'metalink=https://(.*)basearch' - repl: 'metalink=http://HTTPS///\1basearch&protocol=http' - flags: [ 'IGNORECASE', 'MULTILINE' ] + - backup: False {% endfor %} {% endif %} diff --git a/cacher/restore_templates.sls b/cacher/restore_templates.sls index ef97e5e..4184ae8 100644 --- a/cacher/restore_templates.sls +++ b/cacher/restore_templates.sls @@ -11,6 +11,7 @@ - pattern: 'http://HTTPS/' - repl: 'https:' - flags: [ 'IGNORECASE', 'MULTILINE' ] + - backup: False {% endfor %} /etc/apt/sources.list: @@ -19,6 +20,7 @@ - pattern: 'http://HTTPS/' - repl: 'https:' - flags: [ 'IGNORECASE', 'MULTILINE' ] + - backup: False {% elif grains['os_family']|lower == 'arch' %} pacman: @@ -29,6 +31,7 @@ - pattern: 'http://HTTPS///' - repl: 'https://' - flags: [ 'IGNORECASE', 'MULTILINE' ] + - backup: False {% elif grains['os_family']|lower == 'redhat' %} @@ -36,15 +39,18 @@ {{ repo }}_baseurl: file.replace: - name: {{ repo }} - - pattern: 'http://HTTPS/' - - repl: 'https:' + - pattern: 'baseurl(.*)http://HTTPS/' + - repl: 'baseurl\1https:' - flags: [ 'IGNORECASE', 'MULTILINE' ] + - backup: False + {{ repo }}_metalink: file.replace: - name: {{ repo }} - pattern: 'metalink=http://HTTPS///(.*)basearch&protocol=http' - repl: 'metalink=https://\1basearch' - flags: [ 'IGNORECASE', 'MULTILINE' ] + - backup: False {% endfor %} {% endif %}