Verified Commit 1bcb106d authored by Clark's avatar Clark
Browse files

Adding qvm-tags to facilitate policies

parent 5723144b
......@@ -688,6 +688,8 @@ On =dom0=, update =/etc/qubes-rpc/policy/qubes.SshAgent= file so that it contain
bytecache-dev bytecache-ssh-vault ask,default_target=bytecache-ssh-vault
#+END_SRC
If many such AppVMs require the same policy, it can be helpful to apply tags to the AppVMs from =dom0= (e.g., using =qvm-tags bytecache-dev add bytecache=). In such case, the =qubes.SshAgent= policy should include =@tag:bytecache bytecache-ssh-vault ask,default_target=bytecache-ssh-vault=, which will apply the policy to add AppVMs with the =bytecache= tag.
Now from =bytecache-dev=, perform the following steps.
#+BEGIN_SRC sh
......@@ -714,7 +716,7 @@ fi
EOT'
#+END_SRC
Then restart =bytecache-ssh-vault= and =bytecache-dev=. I repeat these steps for each set of SSH keys, and AppVM users (e.g., for work).
Then restart =bytecache-ssh-vault= and =bytecache-dev=. Test the policies by listing the keys in the vault using =ssh-add -L= from the AppVM. I repeat these steps for each set of SSH keys, and AppVM users (e.g., for work).
* Split GPG
......@@ -780,6 +782,8 @@ On =dom0=, update =/etc/qubes-rpc/policy/qubes.Gpg= file so that it contains onl
bytecache-dev bytecache-gpg-vault ask,default_target=bytecache-gpg-vault
#+END_SRC
If many such AppVMs require the same policy, it can be helpful to apply tags to the AppVMs from =dom0= (e.g., using =qvm-tags bytecache-dev add bytecache=). In such case, the =qubes.Gpg= policy should include =@tag:bytecache bytecache-gpg-vault ask,default_target=bytecache-ssh-vault=, which will apply the policy to add AppVMs with the =bytecache= tag.
Restart =bytecache-gpg-vault= and =bytecache-dev=.
After restarting, test the split GPG vault by exporting the public key, which can then be provided to Gitlab (or Github), replacing the pub-key ID below with your own.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment