Move tunnelling script to common direcctory

2024-10-01 01:25:41 -04:00 · 2024-06-13 02:30:19 +00:00 · 2024-06-13 02:30:19 +00:00 · d1318fa767
commit d1318fa767
parent 56ec5d6781
2 changed files with 15 additions and 10 deletions
--- a/3isec-common/in.sh
+++ b/3isec-common/in.sh
--- a/syncthing.spec
+++ b/syncthing.spec
@ -1,16 +1,24 @@
 Name:       3isec-qubes-syncthing
 Version:    1.2
-Release:    1%{?dist}
+Release:    2%{?dist}
 Summary:    Syncthing in Qubes
 License:    GPLv3+
 SOURCE0:    syncthing
 Requires:   3isec-qubes-common
 %description
 Creates a syncthing template and active syncthing qube.
 By default the syncthing qube will be attached to sys-firewall, or sys-pihole if that qube exists.
 It makes no sense to run this with syncthing attached to a VPN or Tor proxy.
-This package opens up the qubes-firewall, so that the syncthing qube is accessible externally.
+
 A qubes.Syncthing service is created, to allow use of syncthing over qrexec.
 A default policy is set in /etc/qubes/policy.d/30-user.policy to deny all.
 If you want to allow syncthing between qubes, insert a line at the top of the policy file to allow. E.g:
  qubes.Syncthing  *  FROM  TO  allow
 A script is provided in /srv/salt/3isec-common/.in.sh to allow for inbound connections.
 This script opens up the qubes-firewall, so that the syncthing qube is accessible externally.
 If sys-net has more than one network card the FIRST external interface will be used by default.
 (If this is incorrect, you must change it manually. In dom0:
  /srv/salt/syncthing/in.sh delete syncthing tcp 22000 -a -p
@ -19,17 +27,10 @@ If sys-net has more than one network card the FIRST external interface will be u
  /srv/salt/syncthing/in.sh add syncthing udp 22000 -p
 This will let you choose the NIC.)
 A qubes.Syncthing service is created, to allow use of syncthing over qrexec.
 A default policy is set in /etc/qubes/policy.d/30-user.policy to deny all.
 If you want to allow syncthing between qubes, insert a line at the top of the policy file to allow. E.g:
  qubes.Syncthing  *  FROM  TO  allow
 The package can be uninstalled using:
  sudo dnf remove 3isec-qubes-syncthing
 The syncthing qube will NOT be removed, but the Syncthing service on that qube will be stopped.
-The firewall rules will be reverted so the qube will not be accessible externally.
+N.B. If you have manually set firewall rules you must manually revert them.
 N.B. If you have manually set rules you must manually revert them.
 The qrexec policy will be reverted to stop Syncthing between qubes.
 The package includes qubes-rsyncthing.service.
@ -73,6 +74,10 @@ fi
 %postun
 %changelog
 * Thu Jun 12 2024 unman <unman@thirdeyesecurity.org> - 1.2.2
 - Improve script for inbound connections
 - Drop automatic configuration in favor of manual.
 - Move script to common files for general use
 * Sat Jan 20 2024 unman <unman@thirdeyesecurity.org> - 1.2
 - Update for 4.2 - new base template, remove iptables references.
 * Mon Feb 20 2023 unman <unman@thirdeyesecurity.org> - 1.1