shaker/git
2024-02-07 00:33:09 +00:00
..
add-remote Sys-git 2022-11-16 12:09:03 +00:00
create.sls Sys-git - Update base template to debian-12-xfce for 4.2 2024-02-07 00:33:09 +00:00
create.top Sys-git 2022-11-16 12:09:03 +00:00
git-qrexec Sys-git - allow fine grained access controls in policy file 2022-11-16 12:33:55 +00:00
install_client.sls Sys-git 2022-11-16 12:09:03 +00:00
install_client.top Sys-git 2022-11-16 12:09:03 +00:00
install.sls Sys-git 2022-11-16 12:09:03 +00:00
install.top Sys-git 2022-11-16 12:09:03 +00:00
qubes.Git Sys-git 2022-11-16 12:09:03 +00:00
README.md Sys-git - allow fine grained access controls in policy file 2022-11-16 12:33:55 +00:00

This package provides a central git qube, named sys-git. By default the qube has no netvm, but you can set one if you wish.

Some configuration is needed. Repositories must be created under /home/user/repos in sys-git, and repository names must be common between sys-git and client qubes.

Setting up a new repository

sys-git

In sys-git, repositories are stored bare under /home/user/repos First, prepare a repository:

mkdir repos/X
cd repos/X
git init --bare

prepare client

Then prepare a qube by running: qubesctl --skip0-dom0 --targets=QUBE state.apply git.install_client

Work in the client

Configure git, as necessary.
Open a terminal in the qube:

mkdir X
cd X
git init
add-remote sg

You can then use that repository as usual, making commits. To push to sys-git you must first-
git push --set-upstream sg master

After making more commits, git push

Working with an existing repository

prepare client, if necessary

Prepare a qube by running: qubesctl --skip0-dom0 --targets=QUBE state.apply git.install_client

Clone the repository in the client

Configure git, as necessary.
Open a terminal in the qube:

mkdir X
cd X
git init
add-remote sg
git pull sg master

Work in the client

You can then use that repository as usual. To push to sys-git you must first-
git push --set-upstream sg master

After making more commits,
git push

Access control

Access to sys-git is governed by policy rules in /etc/qubes/policy/30-user.policy The default rule allows access from any qube to sys-git, after a confirmation dialog.
qubes.Git * @anyvm @anyvm ask default_target=sys-git

You can control access to sys-git by qube, and restrict qubes to specific named repositories:

qubes.Git  +REPO  QUBE   @anyvm  ask default_target=sys-git
qubes.Git  *      QUBE2  @anyvm  ask default_target=sys-git  
qubes.Git  *      *     sys-git deny

These rules will allow QUBE to access the REPO repository on sys-git, but no other. QUBE2 is allowed to access any repository on sys-git.
No other qube is allowed access at all.