Commit 7cf5aeba authored by o's avatar o
Browse files

Merge branch 'updating' into 'master'

fixing some recent issues

See merge request !4
parents 8f078d5b 230cd3bb
data.img
## Starting an ibox as qubes AppVM
# Starting an ibox as qubes AppVM
## Setting up the template
The main idea is to have:
1. An `ibox` template VM mirroring more or less a VM created by our [kickstart file](https://code.immerda.ch/immerda/ibox/stemcell/-/blob/master/http/centos8.ks).
1. An `ibox-base` AppVM which serves as "template" (not in the qubes sense) to create iboxes.
The second step is merely to avoid repeatedly downloading the ibox repository.
1. An `ibox-instance` AppVM.
First start by checking out this repository in your development VM, that we'll assume
to be called `idev`:
First start by checking out this repository in your development VM. We'll assume
it to be called `devqube`:
```
git clone git@code-ssh.immerda.ch:immerda/ibox/qubes.git ibox-qubes
......@@ -18,34 +18,73 @@ To create both VMs and install centos-8, there is a [setup/dom0.sh](setup/dom0.s
You can run it in dom0 with:
```
qvm-run -p idev "cat /home/user/Documents/ibox-qubes/setup/dom0.sh" > setup-ibox.sh
qvm-run -p devqube "cat /home/user/Documents/ibox-qubes/setup/dom0.sh" > setup-ibox.sh
sh setup-ibox.sh
```
Now all the vms are created and we can start setting up the `ibox` template. Start
the VM and execute [setup/ibox.sh](setup/ibox.sh) in it, as root. It installs all
Troubleshoot: If updating centos-8-minimal fails you might have a broken template. Removing and re-installing the `qubes-template-centos-8-minimal` might help.
Now all the vms are created and we can start setting up the `ibox-template` template. Start
the VM and execute `setup/ibox-template.sh` in it, as root. It installs all
required packages and repositories.
Stop the `ibox` VM again.
Stop the `ibox-template` VM again.
Finally, you need to allow your devqube to issue commands to ibox.
To that end add the following line to `/etc/qubes-rpc/policy/qubes.VMShell`:
```
devqube ibox-instance allow
```
## Initialize ibox instance
To create an ibox as an appVM do:
```
qvm-create --label gray --template ibox-template ibox-instance
```
or to create a standalone do:
```
qvm-clone --label gray ibox-template ibox-instance
```
To initialize an `ibox-instance` do the following:
```
cat init.sh | qvm-run-vm ibox-instance "cat - > init.sh && sh init.sh"
dns=`resolvectl dns | grep Global | cut -d' ' -f2`
echo "resolvconf::nameservers: ['$dns']" | qvm-run-vm ibox-instance "cat - >> ibox/hieradata/vagrant.yaml"
```
Now, start the `ibox-base` and download the ibox repo:
You only need to do this once. All data ends up in rw volumes.
Finally on `ibox-instance`
```
git clone https://code.immerda.ch/immerda/ibox/boilerplate.git ibox
cd ibox
git submodule update --init --recursive
sudo -i /home/user/ibox/bin/local_apply.sh
```
Stop `ibox-base` again.
## Sync back changes
To sync back your changes from the ibox to your local copy of the boilerplate repo use:
Finally, you can start using your custom ibox. The easiest is, you clone it first, so you keep a clean state.
In dom0 `qvm-clone ibox-base ibox1`, then start `ibox1`.
```
./sync.sh ibox-instance /path/to/boilerplate-repo
```
## Secondary disk
Some modules need a secondary data disk. On your development qube create a block device and attach it:
```
# on devqube
truncate -s 1024m data.img
sudo losetup /dev/loop0 data.img
# on dom0
qvm-attach ibox-instance devqube:loop0
```
In `ibox1` get going with:
Modules might create huge volumes. Either use a huge disk, or reduce their size. E.g.:
```
sudo su -
hostnamectl set-hostname ibox1.local
cd /home/user/ibox
cp hieradata/vagrant.yaml.sample hieradata/vagrant.yaml
bin/local_apply.sh
ib_disks::datavgs::www::size_data: '500mb'
```
#!/bin/sh
set -e
sudo hostnamectl set-hostname `hostname -s`.local
sudo bash -c "echo 'hostnamectl set-hostname `hostname -s`.local' >> /rw/config/rc.local"
sudo chmod +x /rw/config/rc.local
sudo systemctl start NetworkManager
git clone https://code.immerda.ch/immerda/ibox/boilerplate.git ibox
cd ibox
git submodule update --init --recursive
cp hieradata/vagrant.yaml.sample hieradata/vagrant.yaml
sudo qubes-dom0-update --enablerepo=qubes-templates-community-testing qubes-template-centos-8-minimal
qvm-clone centos-8-minimal ibox
qvm-run -p -u root ibox 'dnf install qubes-core-agent-networking qubes-core-agent-passwordless-root'
qvm-shutdown ibox
qvm-create --label gray --template ibox ibox-base
qvm-run -p -u root centos-8-minimal 'dnf update -y && dnf swap centos-linux-repos centos-stream-repos && rpm -e --nodeps python3-docutils && dnf distro-sync -y'
qvm-shutdown centos-8-minimal
qvm-clone centos-8-minimal ibox-template
qvm-run -p -u root ibox-template 'dnf install qubes-core-agent-passwordless-root qubes-core-agent-passwordless-networking'
qvm-shutdown ibox-template
set -e
sed -i 's/^enabled=.*/enabled=1/' /etc/yum.repos.d/CentOS-Linux-PowerTools.repo /etc/yum.repos.d/CentOS-Linux-ContinousRelease.repo
cat <<-EOF > /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet
......@@ -128,43 +130,22 @@ EOF
dnf update
dnf remove unbound-libs python3-unbound
dnf install ebtables firewalld-filesystem ipset python3-firewall
dnf download firewalld
rpm --nodeps -i firewalld*.rpm
rm firewalld*.rpm
dnf install --allowerasing man-pages mlocate vim-enhanced termite-terminfo wget which virt-what sudo puppet-agent puppet-release puppet-agent-extensions epel-release drpm tmux bash-completion rkhunter munin-node cryptsetup gpm chrony tuned dnf-automatic fail2ban fail2ban-shorewall git yum rxvt-unicode
systemctl disable firewalld
systemctl mask firewalld
dnf remove -y unbound-libs python3-unbound
dnf install -y ebtables firewalld-filesystem ipset python3-firewall
dnf install -y --allowerasing man-pages mlocate vim-enhanced termite-terminfo wget which virt-what sudo puppet-agent puppet-release puppet-agent-extensions epel-release drpm tmux bash-completion rkhunter cryptsetup gpm chrony tuned dnf-automatic git yum rxvt-unicode rsync lvm2
# for trocla
cat <<-EOF >/etc/puppetlabs/puppet/troclarc.yaml
profiles:
sysdomain_nc:
name_constraints:
- local
store: :moneta
store_options:
adapter: :YAML
adapter_options:
:file: /home/user/trocla_data.yaml
EOF
mkdir /etc/puppet
ln -s /home/user/ibox /etc/puppet/ibox
cat <<-EOF >> /etc/X11/Xresources
URxvt*background: #202020
URxvt*foreground: #ffffff
URxvt.color0 : #000000
URxvt.color8 : #555555
URxvt.color1 : #AA0000
URxvt.color9 : #FF5555
URxvt.color2 : #00AA00
URxvt.color10 : #55FF55
URxvt.color3 : #AA5500
URxvt.color11 : #FFFF55
URxvt.color4 : #0000AA
URxvt.color12 : #5555FF
URxvt.color5 : #AA00AA
URxvt.color13 : #FF55FF
URxvt.color6 : #00AAAA
URxvt.color14 : #55FFFF
URxvt.color7 : #AAAAAA
URxvt.color15 : #FFFFFF
URxvt*internalBorder: 1
URxvt*saveLines: 32767
URxvt*visualBell: false
URxvt*scrollTtyKeypress: true
URxvt*scrollWithBuffer: false
URxvt*scrollTtyOutput: false
URxvt*scrollBar: false
URxvt.perl-ext-common: default,selection-to-clipboard
EOF
#!/bin/sh
set -e
rm -f /tmp/ibox.tar
qvm-run-vm $1 "tar --exclude .git -cf - ibox" > /tmp/ibox.tar
pushd /tmp > /dev/null
tar xf ibox.tar
popd > /dev/null
rsync -r /tmp/ibox/ $2
rm -rf /tmp/ibox /tmp/ibox.tar
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment