refactor: prefer systemd sockets over socat

- Document preferred method for socket use depending on use case; - Fix Github web-flow key; - Standardize naming of services; - Use sys-ssh in ansible formula; - Start services conditionally with Qubes Service and evaluated by systemd ConditionPathExists= instead of installing on a per qube basis with rc.local scripts; - Change Qusal services to "qusal-" prefix instead of "qubes-" prefix. Fixes: #80 Fixes: #79
ben-grande · Jun 25, 2024 · 9c28068 · 9c28068
1 parent 3880a35
commit 9c28068
Show file tree

Hide file tree

Showing 106 changed files with 603 additions and 564 deletions.
diff --git a/docs/DESIGN.md b/docs/DESIGN.md
@@ -14,8 +14,10 @@ Qusal design document.
     * [Qube naming](#qube-naming)
     * [Qube label](#qube-label)
     * [Qube menu](#qube-menu)
+    * [Qube features](#qube-features)
   * [Qube connections](#qube-connections)
   * [Qrexec call and policy](#qrexec-call-and-policy)
+  * [Qrexec socket services](#qrexec-socket-services)
 
 ## Goal
 
@@ -167,6 +169,21 @@ building software is risky, the user trying to open a file manager on a qube
 that doesn't have one is less risky but for the user the behavior is
 unexpected.
 
+### Qube features
+
+Control daemons using Qubes Services. It is much better to control services
+this way as we can declare during the creation of qubes instead of having to
+add a state to run a script during boot to unmask and start a specific
+service. The method below is most of the times combined with `systemd.unit`
+`ConditionPathExists=` to enable the service conditionally.
+
+- Server's service name must match the syntax: `service-server` (example:
+  `rsync-server`, `syncthing-server`);
+- Client's service name must match the syntax: `service-client` (example:
+  `ssh-client`;
+- Local program's service name must match the syntax: `service` (example:
+  `docker`, `podman`.
+
 ### Qube connections
 
 There are several ways a qube can connect to another, either directly with
@@ -202,3 +219,40 @@ Xen or with Qrexec. If something is not required, we remove it.
     `qrexec-client-vm`.
 3.  Target qube for client script must default to `@default`, but other targets
     must be allowed via parameters.
+
+### Qrexec socket services
+
+Native Qrexec TCP sockets `/dev/tcp` using `qubes.ConnectTCP` are very handy
+to connect to a port of a qube. The downside of using `qubes.ConnectTCP`
+directly is the user doesn't want or need to know in which port the client
+wants to connect in the server. We will refer to Unix Domains Sockets as
+`UDS`.
+
+Using `qusal.Service`, such as `qusal.Rsync`, `qusal.Syncthing`, `qusal.Ssh`
+has the following advantages:
+
+- Usability: User recognizes the call per service name;
+- Extensibility: Allows extending functionality for arguments added in the
+  future, no need to migrate user policy from `qubes.ConnectTCP`;
+  is not necessary;
+
+Rules for server RPC service:
+
+- Symlink `qubes.ConnectTCP` to `qusal.Service` if connecting to a local port;
+- Use `qubes.ConnectTCP` directly when the user won't manage the policy for
+  the wanted call, such as `sys-syncthing-browser`, where it happens that only
+  this qube will access the admin interface of `sys-syncthing`;
+- Use `socat` to connect to remote hosts or UDS with path defined by the
+  service argument.
+
+Rules for client RPC call:
+
+- Use `systemd.socket` units, it does not require `socat`, it is not
+  restricted to the use of `qubes.ConnectTCP` called by `qvm-connect-tcp`, the
+  service can be properly logged and status verified by a service manager
+  instead of forking socat to the background with a `rc.local` script and
+  finally, can be controlled by Qubes Services to enable or disable the unit
+  with `ConditionPathExists=` instead of doing if-else statements in
+  `rc.local`;
+- Use of `socat` and `qvm-connect-tcp` is permitted for UDS and for
+  instructional use as it is very short.
diff --git a/qubesbuilder/qusal.yml b/qubesbuilder/qusal.yml
@@ -69,12 +69,10 @@ stages:
 gpg-client: gpg
 
 sign-key:
-  rpm:
-    - DF3834875B65758713D92E91A475969DE4E371E3
+  rpm: DF3834875B65758713D92E91A475969DE4E371E3
 
-#repository-publish:
-#  components: current-testing
+repository-publish:
+  components: current-testing
 
-#repository-upload-remote-host:
-#  rpm: [email protected]:/some/path
-#  deb: [email protected]:/another/path
+# repository-upload-remote-host:
+#   rpm: [email protected]:/some/path
diff --git a/rpm_spec/qusal-ansible.spec b/rpm_spec/qusal-ansible.spec
@@ -30,7 +30,9 @@ BuildArch:      noarch
 
 Requires:       qubes-mgmt-salt
 Requires:       qubes-mgmt-salt-dom0
+Requires:       qusal-dotfiles
 Requires:       qusal-ssh
+Requires:       qusal-sys-ssh
 Requires:       qusal-utils
 
 
@@ -73,8 +75,6 @@ if test "$1" = "1"; then
   ## Install
   qubesctl state.apply ansible.create
   qubesctl --skip-dom0 --targets=tpl-ansible state.apply ansible.install
-  qubesctl --skip-dom0 --targets=ansible state.apply ansible.configure,zsh.touch-zshrc
-  qubesctl --skip-dom0 --targets=ansible-minion state.apply ansible.configure-minion,zsh.touch-zshrc
 elif test "$1" = "2"; then
   ## Upgrade
   true
@@ -107,6 +107,9 @@ fi
 %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
 
 %changelog
+* Tue Jun 25 2024 Ben Grande <[email protected]> - 3880a35
+- fix: ansible references legacy zsh state
+
 * Mon Jun 24 2024 Ben Grande <[email protected]> - ab1438f
 - fix: change Launchpad repository to HTTPS domain
 

diff --git a/rpm_spec/qusal-docker.spec b/rpm_spec/qusal-docker.spec
@@ -72,7 +72,6 @@ cp -rv salt/%{project} %{buildroot}/srv/salt/qusal/%{name}
 if test "$1" = "1"; then
   ## Install
   qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply docker.install
-  qubesctl --skip-dom0 --targets=qubes-builder state.apply docker.configure
 elif test "$1" = "2"; then
   ## Upgrade
   true

diff --git a/rpm_spec/qusal-sys-net.spec b/rpm_spec/qusal-sys-net.spec
@@ -114,6 +114,9 @@ fi
 %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
 
 %changelog
+* Tue Jun 25 2024 Ben Grande <[email protected]> - 4facf45
+- feat: use native TCP socket with Qrexec
+
 * Fri Jun 21 2024 Ben Grande <[email protected]> - c84dfea
 - fix: generate RPM Specs for Qubes Builder V2
 

diff --git a/rpm_spec/qusal-sys-print.spec b/rpm_spec/qusal-sys-print.spec
@@ -111,6 +111,9 @@ fi
 %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
 
 %changelog
+* Tue Jun 25 2024 Ben Grande <[email protected]> - 4facf45
+- feat: use native TCP socket with Qrexec
+
 * Fri Jun 21 2024 Ben Grande <[email protected]> - c84dfea
 - fix: generate RPM Specs for Qubes Builder V2
 

diff --git a/rpm_spec/qusal-sys-rsync.spec b/rpm_spec/qusal-sys-rsync.spec
@@ -114,6 +114,9 @@ fi
 %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
 
 %changelog
+* Tue Jun 25 2024 Ben Grande <[email protected]> - 4facf45
+- feat: use native TCP socket with Qrexec
+
 * Fri Jun 21 2024 Ben Grande <[email protected]> - c84dfea
 - fix: generate RPM Specs for Qubes Builder V2
 

diff --git a/rpm_spec/qusal-sys-ssh.spec b/rpm_spec/qusal-sys-ssh.spec
@@ -30,7 +30,6 @@ BuildArch:      noarch
 
 Requires:       qubes-mgmt-salt
 Requires:       qubes-mgmt-salt-dom0
-Requires:       qusal-dev
 Requires:       qusal-sys-ssh-agent
 Requires:       qusal-utils
 
@@ -83,7 +82,6 @@ if test "$1" = "1"; then
   ## Install
   qubesctl state.apply sys-ssh.create
   qubesctl --skip-dom0 --targets=tpl-sys-ssh state.apply sys-ssh.install
-  qubesctl --skip-dom0 --targets=sys-ssh state.apply sys-ssh.configure
 elif test "$1" = "2"; then
   ## Upgrade
   true
@@ -116,6 +114,9 @@ fi
 %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
 
 %changelog
+* Tue Jun 25 2024 Ben Grande <[email protected]> - 4facf45
+- feat: use native TCP socket with Qrexec
+
 * Mon Jun 24 2024 Ben Grande <[email protected]> - 22e2a2e
 - chore: add copyright to systemd services
 

diff --git a/rpm_spec/qusal-sys-syncthing.spec b/rpm_spec/qusal-sys-syncthing.spec
@@ -96,7 +96,6 @@ if test "$1" = "0"; then
   ## Uninstall
   qvm-port-forward -a del -q sys-syncthing -n tcp -p 22000
   qvm-port-forward -a del -q sys-syncthing -n udp -p 22000
-  qubesctl --skip-dom0 --targets=sys-syncthing state.apply sys-syncthing.cancel
   qubesctl state.apply sys-syncthing.clean
 elif test "$1" = "1"; then
   ## Upgrade
@@ -121,6 +120,9 @@ fi
 %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
 
 %changelog
+* Tue Jun 25 2024 Ben Grande <[email protected]> - 4facf45
+- feat: use native TCP socket with Qrexec
+
 * Mon Jun 24 2024 Ben Grande <[email protected]> - 22e2a2e
 - chore: add copyright to systemd services
 

diff --git a/salt/ansible/README.md b/salt/ansible/README.md
@@ -26,28 +26,13 @@ sudo qubesctl top.disable ansible
 ```sh
 sudo qubesctl state.apply ansible.create
 sudo qubesctl --skip-dom0 --targets=tpl-ansible state.apply ansible.install
-sudo qubesctl --skip-dom0 --targets=ansible state.apply ansible.configure
-sudo qubesctl --skip-dom0 --targets=ansible-minion state.apply ansible.configure-minion
 ```
 <!-- pkg:end:post-install -->
 
 ## Usage
 
-Configure the control node `ansible`:
-```sh
-ssh-keygen -t ed25519 -N "" -f ~/.ssh/id_ansible
-qvm-copy ~/.ssh/id_ansible.pub
-```
-Select `ansible-minion` as the target qube for the copy operation.
-
-Configure the minion `ansible-minion`:
-```sh
-mkdir -m 0700 ~/.ssh
-cat ~/QubesIncoming/ansible/id_ansible.pub >> ~/.ssh/authorized_keys
-```
-
-From the control node `ansible`, test connection to the minion
+From the control node `ansible`, test connection to the managed node
 `ansible-minion`:
 ```sh
-ssh minion
+ssh -p 1840 [email protected]
 ```
diff --git a/salt/ansible/configure-minion.sls b/salt/ansible/configure-minion.sls
diff --git a/salt/ansible/configure-minion.top b/salt/ansible/configure-minion.top
diff --git a/salt/ansible/configure.sls b/salt/ansible/configure.sls
diff --git a/salt/ansible/configure.top b/salt/ansible/configure.top
diff --git a/salt/ansible/create.sls b/salt/ansible/create.sls
@@ -46,6 +46,8 @@ prefs:
 features:
 - set:
   - menu-items: "qubes-run-terminal.desktop qubes-start.desktop"
+- enable:
+  - service.ssh-client
 - disable:
   - service.cups
   - service.cups-browsed
@@ -73,6 +75,9 @@ prefs:
 features:
 - set:
   - menu-items: "qubes-run-terminal.desktop qubes-start.desktop"
+- enable:
+  - servicevm
+  - service.ssh-server
 - disable:
   - service.cups
   - service.cups-browsed

diff --git a/salt/ansible/files/admin/policy/default.policy b/salt/ansible/files/admin/policy/default.policy
@@ -2,5 +2,5 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-qubes.ConnectTCP  +22  {{ sls_path }}  @default  allow target={{ sls_path }}-minion
+qusal.Ssh  *  {{ sls_path }}  @default  allow target={{ sls_path }}-minion
 ## vim:ft=qrexecpolicy
diff --git a/salt/ansible/files/client/99-sshd-ansible.conf b/salt/ansible/files/client/99-sshd-ansible.conf
diff --git a/salt/ansible/files/client/rc.local.d/50-ansible.rc b/salt/ansible/files/client/rc.local.d/50-ansible.rc
diff --git a/salt/ansible/files/server/99-ssh-ansible.conf b/salt/ansible/files/server/99-ssh-ansible.conf
diff --git a/salt/ansible/files/server/rc.local.d/50-ansible.rc b/salt/ansible/files/server/rc.local.d/50-ansible.rc
diff --git a/salt/ansible/init.top b/salt/ansible/init.top
@@ -10,7 +10,3 @@ base:
     - ansible.create
   'tpl-ansible':
     - ansible.install
-  'ansible':
-    - ansible.configure
-  'ansible-minion':
-    - ansible.configure-minion