Commit 6cb9654a authored by o's avatar o
Browse files

initial

parents
## Starting an ibox as qubes AppVM
The main idea is to have:
1. An `ibox` template VM mirroring more or less a VM created by our [kickstart file](https://code.immerda.ch/immerda/ibox/stemcell/-/blob/master/http/centos8.ks).
1. An `ibox-base` AppVM which serves as "template" (not in the qubes sense) to create iboxes.
The second step is merely to avoid repeatedly downloading the ibox repository.
First start by checking out this repository in your development VM, that we'll assume
to be called `idev`:
```
git clone git@code-ssh.immerda.ch:immerda/ibox/qubes.git ibox-qubes
```
To create both VMs and install centos-8, there is a [setup/dom0.sh](setup/dom0.sh) script.
You can run it in dom0 with:
```
qvm-run -p idev "cat /home/user/Documents/ibox-qubes/setup/dom0.sh" > setup-ibox.sh
sh setup-ibox.sh
```
Now all the vms are created and we can start setting up the `ibox` template. Start
the VM and execute [setup/ibox.sh](setup/ibox.sh) in it, as root. It installs all
required packages and repositories.
Stop the `ibox` VM again.
Now, start the `ibox-base` and download the ibox repo:
```
git clone https://code.immerda.ch/immerda/ibox/boilerplate.git ibox
cd ibox
git submodule update --init --recursive
```
Stop `ibox-base` again.
Finally, you can start using your custom ibox. The easiest is, you clone it first, so you keep a clean state.
In dom0 `qvm-clone ibox-base ibox1`, then start `ibox1`.
In `ibox1` get going with:
```
sudo su -
hostnamectl set-hostname ibox1.local
cd /home/user/ibox
cp hieradata/vagrant.yaml.sample hieradata/vagrant.yaml
bin/local_apply.sh
```
sudo qubes-dom0-update --enablerepo=qubes-templates-community-testing qubes-template-centos-8-minimal
qvm-clone centos-8-minimal ibox
qvm-run -p -u root ibox 'dnf install qubes-core-agent-networking qubes-core-agent-passwordless-root'
qvm-shutdown ibox
qvm-create --label gray --template ibox ibox-base
sed -i 's/^enabled=.*/enabled=1/' /etc/yum.repos.d/CentOS-PowerTools.repo /etc/yum.repos.d/CentOS-CR.repo
cat <<-EOF > /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFe2Iz4BEADqbv/nWmR26bsivTDOLqrfBEvRu9kSfDMzYh9Bmik1A8Z036Eg
h5+TZD8Rrd5TErLQ6eZFmQXk9yKFoa9/C4aBjmsL/u0yeMmVb7/66i+x3eAYGLzV
FyunArjtefZyxq0B2mdRHE8kwl5XGl8015T5RGHCTEhpX14O9yigI7gtliRoZcl3
hfXtedcvweOf9VrV+t5LF4PrZejom8VcB5CE2pdQ+23KZD48+Cx/sHSLHDtahOTQ
5HgwOLK7rBll8djFgIqP/UvhOqnZGIsg4MzTvWd/vwanocfY8BPwwodpX6rPUrD2
aXPsaPeM3Q0juDnJT03c4i0jwCoYPg865sqBBrpOQyefxWD6UzGKYkZbaKeobrTB
xUKUlaz5agSK12j4N+cqVuZUBAWcokXLRrcftt55B8jz/Mwhx8kl6Qtrnzco9tBG
T5JN5vXMkETDjN/TqfB0D0OsLTYOp3jj4hpMpG377Q+6D71YuwfAsikfnpUtEBxe
NixXuKAIqrgG8trfODV+yYYWzfdM2vuuYiZW9pGAdm8ao+JalDZss3HL7oVYXSJp
MIjjhi78beuNflkdL76ACy81t2TvpxoPoUIG098kW3xd720oqQkyWJTgM+wV96bD
ycmRgNQpvqHYKWtZIyZCTzKzTTIdqg/sbE/D8cHGmoy0eHUDshcE0EtxsQARAQAB
tEhQdXBwZXQsIEluYy4gUmVsZWFzZSBLZXkgKFB1cHBldCwgSW5jLiBSZWxlYXNl
IEtleSkgPHJlbGVhc2VAcHVwcGV0LmNvbT6JAj4EEwECACgFAle2Iz4CGwMFCQlm
AYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEH9DgoDvjTSfIN0P/jcCRzK8
WIdhcNz5dkj7xRZb8Oft2yDfenQmzb1SwGGa96IwJFcjF4Nq7ymcDUqunS2DEDb2
gCucsqmW1ubkaggsYbc9voz/SQwhsQpBjfWbuyOX9DWmW6av/aB1F85wP79gyfqT
uidTGxQE6EhDbLe7tuvxOHfM1bKsUtI+0n9TALLLHfXUEdtaXCwMlJuO1IIn1PWa
H7HzyEjw6OW/cy73oM9nuErBIio1O60slPLOW2XNhdWZJCRWkcXyuumRjoepz7WN
1JgsLOTcB7rcQaBP3pDN0O/Om5dlDQ6oYitoJs/F0gfEgwK68Uy8k8sUR+FLLJqM
o0CwOg6CeWU4ShAEd1xZxVYW6VOOKlz9x9dvjIVDn2SlTBDmLS99ySlQS57rjGPf
GwlRUnuZP4OeSuoFNNJNb9PO6XFSP66eNHFbEpIoBU7phBzwWpTXNsW+kAcY8Rno
8GzKR/2FRsxe5Nhfh8xy88U7BA0tqxWdqpk/ym+wDcgHBfSRt0dPFnbaHAiMRlgX
J/NPHBQtkoEdQTKA+ICxcNTUMvsPDQgZcU1/ViLMN+6kZaGNDVcPeMgDvqxu0e/T
b3uYiId38HYbHmD6rDrOQL/2VPPXbdGbxDGQUgX1DfdOuFXw1hSTilwI1KdXxUXD
sCsZbchgliqGcI1l2En62+6pI2x5XQqqiJ7+
=HpaX
-----END PGP PUBLIC KEY BLOCK-----
EOF
cat <<-EOF > /etc/yum.repos.d/puppet.repo
[puppet]
name=CentOS-\$releasever - puppet
baseurl=https://yum.puppetlabs.com/puppet/el/\$releasever/\$basearch/
enabled=1
gpgcheck=1
priority=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet
timeout=10
metadata_expire=300
EOF
cat <<-EOF > /etc/pki/rpm-gpg/RPM-GPG-KEY-glei
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFsqViwBEADcu6AP6M1Z3zlcv5+zS/qoMQQWpC+BuChY67Um7VMwdlK1MLE9
fYH4ExlUYc8xC52g/W56tNAngzDNsI7BvtcTf0tw1j4kk7HT5qFmFVW4w1cgaJDD
k12SXNYnNYDYYCL8OgLsT1XXVeUaOO3imRC3Ta/zk3yvdr2TIitApUQQ5kfwyxEs
NVs3VFbmSmSvAdQ4+BulSU8lOTgiN5K2vds8fMOhJ7vXWOBoGGn2xMMDCCvt1XTW
JqSJ0XeaPB1XfyZ37dcBIIwqsUogJXmXwp4kCZhEwV04zwcz6WIJJWAZUz2/GnWL
8Xg8vtORL37DYHV/Rr9sPjfdmR8939tWgydKm9B46+0YbamjgYJr/sT81CpzPK57
58xehkHpBIPqkwsEz8kHGIVltQlXjrVg7MBWvpso1Ub348A2h9Y7ZJ2GSMh0SdTz
jl0GqZ7s2J6sjYCNuCdNUjLp0aWqHBtz6AyvtSaIMxDsKILILBSDGqYBdUbACVhv
hsPr3JFM337bdyygGHryLVhgAbLrRLGfErhJCHYg7anEO4gFVwuU3N0owI3gwKyF
9GZgHv7yzA96vjmUVhDBSX39jMNzNst1JEEmGZ1lekKh/GmWKF9Ie7nJxe4s3Plg
f2bp82UNVD2+c1mJinGVgJEIVTO0E0MwcCkO+9jgUUKX0SNgL7yLAIQzpwARAQAB
tFlHbGVpLmNoIFBhY2thZ2VzIChVc2VkIHRvIHNpZ24gcGFja2FnZXMgYW5kIHNv
ZnR3YXJlIGZvdW5kIG9uIGdsZWkuY2gpIDxwYWNrYWdlc0BnbGVpLmNoPokCVAQT
AQoAPgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBDI6YGQYCWNykksGY/g0
SdQ37BWGBQJe4MxWBQkHeN0qAAoJEPg0SdQ37BWGgiYP/AnIwj14b8bAu/NngYL7
ho5yyxm0Cl+rqoY6/yHl1xMvxWpIHcmJMF5djQxt377Jz62rGeWAlZfS68rELwvh
mN8WPxNyXQ7W7gEGlHA0Me/U4XUZeDN6XrlWPHTccBmvrrSqkoT5fUTKFWG+b9Sz
LXOIbhNxsihREl1vfnTcgCeC0VPMAhs0y2vBtq7DlftYrPOkT2rjPayhTo8EbZZU
5R6hbbyRAtpCJldk6wuFmNc/W7393JkYkXT9kgfNZW1wf0ZNMPFOtXc70/oGGGie
66tZzLqXxjvmMK7zpmaFwZ6LW5+/U7ql/NFZAH55gmqVZUz64q6z3y6qoADQlz5E
IY/Js+5IYEzJdScIoz+OPfQSnhQOmKQH7Om72Epg1lX/RtjtH7GpAioM33df7KIA
BrXDTNqc8JqLRQaQRbjKM+nct7/MZkmZ/eK+zqh7kDRfNq6PZOYqq8dyiHqwlmx+
ktDFUiBlLm2qT4p7IBi/FGDRWEeXyjcKp88DSQMmgpHWDRSVfzcQHgGkwYB+bZOo
lSJBahTmgRVhffbwSH64LK+dz5bmsZKZaJ3AzuaDPLX4/ksSLWMjEI/YInXU/12g
x+nj1orgQ4tLKkFPOvh7hCb6e2I3kjWm/V6YITCm2nSiAUtbJaPofMRWZw4G9bay
scBe9d7873oad+y37MgUMQG6iQJUBBMBCgA+FiEEMjpgZBgJY3KSSwZj+DRJ1Dfs
FYYFAlsqViwCGwMFCQPCZwAFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQ+DRJ
1DfsFYbIqRAAiY6B9YlM+j/LReDk+mj5h+lCnW6aUu/cf76FTimOeZdkIS0auwrk
k1rFER4iSrPdEJZI3qpupbpvftDTsntuajOCcqopXa3dVw1LIsYoIuJN2phtDODy
TISJuxXPeYyOMq1yqpmRJc2bWo3B4eg2FYN1jsQPPoUfaR+6Si7usQxEOiHvePfz
2nVTicvTuQLWQZ/v52xekjfdKN+1YOnaYyECl8OHizrAobxLhSu0bD/xAMwPhDgy
yDEwrkvacRTAb6q4D0YZh2K3EzVnM9SloPIcpPualDyxkIgcucu2EARcxCQyCV5m
/882N86BT0DViDO1sQxEoiuaOJvYNa5swa75pJoeqCDNYseCXVE66ATt+y/+FIOr
aNkgeEf2ET+FeWuuUT29x/LnFpoUpEekffdjXJpy8tQejNWXQ5LZnw6AQ01R0/IA
D+Z52gQ0lzp2gzjkIurMFRRC9QEzu5IxTkFjfehwz3+R/RD1zBHMVpQnfWtlFrDf
tVhUHqAeFKzqlcZyp70oxiNrJAchvveF9rDtv8TtWQYmOBA/jMpIlDYhtc360ZrF
c1uaqIGjJ4GgFpmI7cbTppFX05fifVKeHCe4DgFDw6JQY2Ohjl9cXe9lKYfAEhiQ
n2ADpifONwGJdqkiiCO/wc+gai8gRJmKxuqXh319EdqKCz8YWR+DaBC5Ag0EWypW
LAEQAN+Y7Aelko0mmMBJWzJtW/LjbESJ6cCJiwqb7snKBCh1d6XXiRXa28MZCXqY
UyZ4j/P9HcHSzAZdXW1r1YLboA5/S2drvzmqnaZ9JoYBGVxmuuIIzs+yT9S3gXDH
SCtzCmuNX4lc0DQDDcGPW8E7cVEa6mJn4zDaFPe905Tt9YBTJTPSm0lEFOURyccT
ajuXJiq/rL8tblxkx7Lvc+uqpCPsFKGAIZAZmOqmmWuQ2u49C/YAEBgy6gBIrZoZ
Sz5WPI7ZWAFoDWEduqcx44w9nE5Zm9N+SEaTA5vnsItnZ56UzRaQcfI75OpntwXl
CsObRF90IzSHS8wLmH2Ycyr7HMCuwzq6Re7/2CnO+QM7dXolAxIiq11f3MFWHNLt
8oyy9qPSx5mf0AgWnsOvlhFxn9oRim4E7EjSRtuEn/ak2YfwxAY5VAgdcDOchqhz
dqXle/kRdhQbB5Fx2uIsZd+OlpTafdHm+RyHVoBP1hyH0xZSWkN2xjXGNLsgVQGl
lOvwu4wY3297MpXlmk/2mB+ALmTi9KBlke5xnGwz08Ai06w8WP8YE9KkSM4xiN9t
FvFYF+6ckmRXJKFAvjKQou8IiApP/zA+apZw727fsv66x4eH3us9kzp2NTzxSevf
oft+w+mHWqUOEdpsFCr5nfYuKmp8n6g6TvVJjwY47M6YZ8YZABEBAAGJAjwEGAEK
ACYCGwwWIQQyOmBkGAljcpJLBmP4NEnUN+wVhgUCXuDMbgUJB3jdQgAKCRD4NEnU
N+wVht5ED/4r9qUpmEOWAtfukn4sKqeYfx/K53A2lKkxljMD67hUVE9Z2DkVlWKS
oj/s8OLUW3EAo5mB/Ffd0FWKTT/iDg6f4nnERNORNMl04hHbjsAkN9w5lx1flmHk
j4qI65UmjnS+9XCq7ZAbH38uq2vjdnMAz+I8TA+kr7ZRcaicTVseMPfht8L/v8bb
73Jhh5+q5EU+1txuLbnBdA6SWfRiClYLAS436WLyL1mvM6QwGrnBhchgIbjHriXI
R3LKkLnr6LRjU3MNLPgPsgjPQtZKTBVhYtwGvHthMGND8RNOQT475lxyRucUvRZx
p8m6U2x3pen3o2/pTTnUSQo/oDFHR6fScEwbkncMNjPEpbMMWOCDFyXxgq8+124r
aiw7lV7TC2Nmzse5WKVB4Z4a1/cVLtrmUqzkyQx7aMMx4h9inYlqdHbmcMva0ahj
Vwm9jbVBrgZcZyATavHAF+FNhIZIZtB5ePiHdtlmMJ00pqHZIleql0CuVUvW4uJ7
qDkz1Ck9UN1QwL5WvZX/2q/52+seBqoGLUxHLl1UkCVNx6Ak2c+BjAqGsG1/+GW/
64a/SfLK6dZWVTee+eGxwPJlqK9mOMmk7qTCG58fp/DiByWT/MTI4oLO4h1Cjo7O
R4lJtfoesmZV8P/rYdxulA2mDiGXHh3gCYQipDg22eZ9SLY3rgaZtQ==
=cl45
-----END PGP PUBLIC KEY BLOCK-----
EOF
cat <<-EOF > /etc/yum.repos.d/glei.repo
[glei]
name=CentOS-\$releasever - glei
baseurl=http://yum.glei.ch/el\$releasever/\$basearch/
enabled=1
gpgcheck=1
priority=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-glei
timeout=10
metadata_expire=300
EOF
dnf update
dnf remove unbound-libs python3-unbound
dnf install ebtables firewalld-filesystem ipset python3-firewall
dnf download firewalld
rpm --nodeps -i firewalld*.rpm
rm firewalld*.rpm
dnf install --allowerasing man-pages mlocate vim-enhanced termite-terminfo wget which virt-what sudo puppet-agent puppet-release puppet-agent-extensions epel-release drpm tmux bash-completion rkhunter munin-node cryptsetup gpm chrony tuned dnf-automatic fail2ban fail2ban-shorewall git yum rxvt-unicode
systemctl disable firewalld
systemctl mask firewalld
mkdir /etc/puppet
ln -s /home/user/ibox /etc/puppet/ibox
cat <<-EOF >> /etc/X11/Xresources
URxvt*background: #202020
URxvt*foreground: #ffffff
URxvt.color0 : #000000
URxvt.color8 : #555555
URxvt.color1 : #AA0000
URxvt.color9 : #FF5555
URxvt.color2 : #00AA00
URxvt.color10 : #55FF55
URxvt.color3 : #AA5500
URxvt.color11 : #FFFF55
URxvt.color4 : #0000AA
URxvt.color12 : #5555FF
URxvt.color5 : #AA00AA
URxvt.color13 : #FF55FF
URxvt.color6 : #00AAAA
URxvt.color14 : #55FFFF
URxvt.color7 : #AAAAAA
URxvt.color15 : #FFFFFF
URxvt*internalBorder: 1
URxvt*saveLines: 32767
URxvt*visualBell: false
URxvt*scrollTtyKeypress: true
URxvt*scrollWithBuffer: false
URxvt*scrollTtyOutput: false
URxvt*scrollBar: false
URxvt.perl-ext-common: default,selection-to-clipboard
EOF
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment