mirror of
https://github.com/unman/shaker.git
synced 2025-01-27 23:07:00 -05:00
This is a caching proxy, based on apt-cacher-ng. Config files are included, which will work out of the box for Debian,Ubuntu,Arch, and Fedora. The cache and log directories are bind-mounted in /rw in the cacher qube. Copy directory to /srv/salt, then run: qubesctl state.apply cacher.create qubesctl --skip-dom0 --targets=template-cacher state.apply cacher.install qubesctl --skip-dom0 --targets=cacher state.apply cacher.configure To automatically use the proxy run: qubesctl state.apply cacher.use This will configure /etc/qubes/policy.d/30-user.policy to use the caching proxy be default. apt-cacher-ng will cache HTTPS requests if you change https:// to http://HTTPS/// in repo source lists. To configure the templates to use the proxy in this way, run: qubesctl --skip-dom0 --targets=Templates state.apply cacher.change_templates.sls Or target individual templates, as you wish. N.B apt-cacher-ng works well for Debian,Ubuntu,and Arch. It works reasonably well for Fedora, but may require tweaking of the apt-cacher-ng control file, and the fedora_mirrors lists. Using apt-cacher-ng as caching proxy. 1. INSTALL AND CONFIGURE apt-get install apt-cacher-ng, and mask in the template. systemctl mask apt-cacher-ng Create qube and give it plenty of space. In caching qube, use bind-dirs: binds+=( '/var/cache/apt-cacher-ng' ) binds+=( '/var/log/apt-cacher-ng' ) binds+=( '/etc/apt-cacher-ng' ) Use /rw/config/rc.local to start the apt-cacher-ng service: systemctl unmask apt-cacher-ng systemctl start apt-cacher-ng /sbin/iptables -I INPUT -p tcp --dport 8082 -j ACCEPT Edit /etc/apt-cacher-ng/acng.conf: Port:8082 Restart service. Set this as updateProxy in /etc/qubes-rpc/policy/qubes.UpdatesProxy Debian templates will use this for updates with no further configuration. 2. FEDORA SUPPORT for build machines. There is a mirrors list in /usr/lib/apt-cacher-ng/ Copy fedora_mirrors to /etc/apt-cacher-ng Edit /etc/apt-cacher-ng/acng.conf: Remap-fedora: file:fedora_mirrors If requests fail because the file type is not allowed, create a pattern for volatile data: VfilePatternEx: .*metalink?repo=fedora* 3. TLS SUPPORT: Two methods: a. Create new file in /etc/apt-cacher-ng/backends_qubes: https://yum.qubes-os.org/ Edit /etc/apt-cacher-ng/acng.conf: Remap-qubes: http://fake.qubes ; file:backends_qubes Then in /etc/yum/yum.repos.d, change the repository URL to http://fake.qubes/...... Now the qube will use HTTP to the proxy which will use TLS to pick up the packages and cache any responses. b. Change the repository definition FROM: https://yum.qubes-os.org/ TO: http://HTTPS///yum.qubes-os.org/ Without any other changes to the apt-cacher configuration the qube will use HTTP to the proxy which will use TLS to pick up the packages and cache any responses. This is the recommended approach. Salt states, change_templates.sls, and restore_templates.sls, are provided to configure templates to use this scheme.