Salt - caching proxy - wild card restore state.

Improve rpm description

cacher.spec

@@ -1,13 +1,42 @@
 Name:           3isec-qubes-cacher
-Version:       	1.4
+Version:       	1.5
 Release:        1%{?dist}
-Summary:        Salt a caching proxy in Qubes
+Summary:        A caching proxy in Qubes
 
 License:        GPLv3+
 SOURCE0:	cacher
 
 %description
-Salt state to implement a caching proxy
+ This package provides a caching proxy, named cacher.
+ A caching proxy stores downloaded packages, so that you need only download
+a package once for it to be used when updating many templates.
+ The proxy is preconfigured to work out of the box for Debian, Ubuntu,
+Arch, and Fedora templates.
+
+When you install this package your Qubes system will be altered to use
+the proxy by default.
+This is done with an entry in /etc/qubes/policy.d/30-user.policy
+If you want to change the proxy setting for some/all templates, edit
+that file.
+
+So that you can use https:// in your repository definitions, the entries
+will be changed in the templates.
+ https:// becomes http://HTTPS///
+ This is so that the request to the proxy is plain text, and the proxy 
+will then make the request via https
+ This change will be done automatically for every template that exists
+when you install this package.
+
+ If you install a new template, you must make this configuration change. 
+ In dom0 run:
+ qubesctl --skip-dom0 --targets=TEMPLATE state.apply cacher.change_templates  
+ replacing TEMPLATE with the name of the new template. 
+
+ If you want to use the standard proxy, you have to revert this change,
+as well as editing the policy file.
+ In dom0 run:
+ qubesctl --skip-dom0 --targets=TEMPLATE state.apply cacher.restore_templates  
+ replacing TEMPLATE with the name of the new template. 
 
 %install
 rm -rf %{buildroot}
@@ -41,6 +70,8 @@ if [ $1 -eq 0 ]; then
 fi
 
 %changelog
+* Thu Jul 28 2022 unman <unman@thirdeyesecurity.org> - 1.5
+- Extended description
 * Sat May 21 2022 unman <unman@thirdeyesecurity.org> - 1.4
 - Standardise package names to 3isec-
 * Sun May 15 2022 unman <unman@thirdeyesecurity.org> - 1.3

cacher/README

@@ -1,8 +1,6 @@
 This is a caching proxy, based on apt-cacher-ng.  
-Note that it expects a netvm called "tor" - you should change this to whatever netvm you want to use.  
-Edit the netvm entry in create.sls
 
-Config files are included, which will work out of the box for Debian,Ubuntu and Fedora.  
+Config files are included, which will work out of the box for Debian,Ubuntu,Arch, and Fedora.  
 The cache and log directories are bind-mounted in /rw in the cacher qube.
 
 Copy directory to /srv/salt, then run:  
@@ -22,3 +20,71 @@ Or target individual templates, as you wish.
 N.B
 apt-cacher-ng works well for Debian,Ubuntu,and Arch.  
 It works reasonably well for Fedora, but may require tweaking of the apt-cacher-ng control file, and the fedora_mirrors lists.
+
+Using apt-cacher-ng as caching proxy.
+
+1.  INSTALL AND CONFIGURE
+apt-get install apt-cacher-ng, and mask in the template.
+systemctl mask apt-cacher-ng 
+
+Create qube and give it plenty of space.
+
+In caching qube, use bind-dirs:
+binds+=( '/var/cache/apt-cacher-ng' )
+binds+=( '/var/log/apt-cacher-ng' )
+binds+=( '/etc/apt-cacher-ng' )
+
+Use /rw/config/rc.local to start the apt-cacher-ng service:
+systemctl unmask apt-cacher-ng
+systemctl start apt-cacher-ng
+/sbin/iptables -I INPUT -p tcp --dport 8082 -j ACCEPT
+
+Edit /etc/apt-cacher-ng/acng.conf:
+Port:8082 
+
+Restart service.
+
+Set this as updateProxy in /etc/qubes-rpc/policy/qubes.UpdatesProxy
+
+Debian templates will use this for updates with no further configuration.
+
+
+2.  FEDORA SUPPORT for build machines.
+There is a mirrors list in /usr/lib/apt-cacher-ng/
+Copy fedora_mirrors to /etc/apt-cacher-ng
+
+Edit /etc/apt-cacher-ng/acng.conf:
+Remap-fedora: file:fedora_mirrors
+
+If requests fail because the file type is not allowed, create a pattern for
+volatile data:
+VfilePatternEx: .*metalink?repo=fedora*
+
+
+3.  TLS SUPPORT:
+Two methods:
+a. 
+Create new file in /etc/apt-cacher-ng/backends_qubes:
+https://yum.qubes-os.org/
+
+Edit /etc/apt-cacher-ng/acng.conf:
+Remap-qubes: http://fake.qubes ; file:backends_qubes
+
+Then in /etc/yum/yum.repos.d, change the repository URL to
+http://fake.qubes/......
+
+Now the qube will use HTTP to the proxy which will use TLS to pick up the
+packages and cache any responses.
+
+b.
+Change the repository definition FROM:
+https://yum.qubes-os.org/
+TO:
+http://HTTPS///yum.qubes-os.org/
+
+Without any other changes to the apt-cacher configuration the qube will
+use HTTP to the proxy which will use TLS to pick up the packages and
+cache any responses.
+
+This is the recommended approach.
+Salt states, change_templates.sls, and restore_templates.sls, are provided to configure templates to use this scheme.

cacher/restore_templates.sls

@@ -2,12 +2,20 @@
 #
 #
 #
+
 {% if grains['os_family']|lower == 'debian' %}
+{% for repo in salt['file.find']('/etc/apt/sources.list.d/', name='*list') %}
+  {{ repo }}_baseurl:
+      file.replace:
+        - name: {{ repo }}
+        - pattern: 'http://HTTPS/'
+        - repl: 'https:'
+        - flags: [ 'IGNORECASE', 'MULTILINE' ]
+{% endfor %}
+
   /etc/apt/sources.list:
     file.replace:
-      - names: 
-        - /etc/apt/sources.list
-        - /etc/apt/sources.list.d/qubes-r4.list
+      - name: /etc/apt/sources.list
       - pattern: 'http://HTTPS/'
       - repl: 'https:'
       - flags: [ 'IGNORECASE', 'MULTILINE' ]
@@ -18,25 +26,25 @@
       - names:
         - /etc/pacman.d/mirrorlist
         - /etc/pacman.d/99-qubes-repository-4.1.conf.disabled
+      - pattern: 'http://HTTPS///'
+      - repl: 'https://'
+      - flags: [ 'IGNORECASE', 'MULTILINE' ]
+
+
+{% elif grains['os_family']|lower == 'redhat' %}
+{% for repo in salt['file.find']('/etc/yum.repos.d/', name='*repo*') %}
+{{ repo }}_baseurl:
+    file.replace:
+      - name: {{ repo }}
       - pattern: 'http://HTTPS/'
       - repl: 'https:'
       - flags: [ 'IGNORECASE', 'MULTILINE' ]
-
-{% elif grains['os_family']|lower == 'redhat' %}
-  /etc/yum.repos.d/:
+{{ repo }}_metalink:
     file.replace:
-      - names:
-        - /etc/yum.repos.d/fedora.repo
-        - /etc/yum.repos.d/fedora-updates.repo
-        - /etc/yum.repos.d/fedora-updates-testing.repo
-        - /etc/yum.repos.d/fedora-cisco-openh264.repo
+      - name: {{ repo }}
       - pattern: 'metalink=http://HTTPS///(.*)basearch&protocol=http'
       - repl: 'metalink=https://\1basearch'
       - flags: [ 'IGNORECASE', 'MULTILINE' ]
-  /etc/yum.repos.d/qubes-r4.repo:
-      file.replace:
-        - pattern: 'http://HTTPS/'
-        - repl: 'https:'
-        - flags: [ 'IGNORECASE', 'MULTILINE' ]
 
+{% endfor %}
 {% endif %}