Commit 3a8b97b6 authored by Clark's avatar Clark
Browse files

Starting to add split GPG, untested

parent 3bd35496
......@@ -132,36 +132,36 @@ entity dom0 {
}
entity "default-mgmt-dvm" as default_mgmt_dvm {
{static} TemplateVM <fed30>
{static} TemplateVM <fed30>
{static} NetVM <none>
}
rectangle << NetVMs >> {
entity "sys-net" as sys_net {
{static} TemplateVM <fed30>
{static} TemplateVM <fed30>
{static} NetVM <none>
}
entity "sys-firewall" as sys_firewall {
{static} TemplateVM <fed30>
{static} TemplateVM <fed30>
{static} NetVM <sys-net>
}
entity "sys-vpn" as sys_vpn {
{static} TemplateVM < ??? >
{static} TemplateVM < ??? >
{static} NetVM <sys-firewall>
}
entity "sys-whonix" as sys_whonix {
{static} TemplateVM <who15-gw>
{static} TemplateVM <who15-gw>
{static} NetVM <sys-firewall>
}
}
entity "sys-usb" as sys_usb {
{static} TemplateVM <fed30>
{static} TemplateVM <fed30>
{static} NetVM <none>
}
......@@ -198,22 +198,22 @@ class "bytecache-social" as bytecache_social {
}
class "bytecache-gpg-vault" as bytecache_gpg_vault {
{static} TemplateVM < ??? >
{static} TemplateVM <fed30-gpg-vault>
{static} NetVM <none>
}
class "bytecache-ssh-vault" as bytecache_ssh_vault {
{static} TemplateVM <fed30-ssh-vault>
{static} TemplateVM <fed30-ssh-vault>
{static} NetVM <none>
}
class "anon-whonix" as anon_whonix {
{static} TemplateVM <who15-ws>
{static} TemplateVM <who15-ws>
{static} NetVM <sys-vpn>
}
enum "ubu18-ws-dvm" as ubuntu_ws_dvm {
{static} TemplateVM <ubu18-ws>
{static} TemplateVM <ubu18-ws>
{static} NetVM <sys-whonix>
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#emacs Emacs]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#ethereum Ethereum]]
......@@ -226,7 +226,7 @@ enum "ubu18-ws-dvm" as ubuntu_ws_dvm {
}
enum "deb10-ws-dvm" as debian_ws_dvm {
{static} TemplateVM <deb10-ws>
{static} TemplateVM <deb10-ws>
{static} NetVM <sys-whonix>
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#emacs Emacs]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#rust Rust]]
......@@ -237,8 +237,8 @@ enum "deb10-ws-dvm" as debian_ws_dvm {
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#libreoffice LibreOffice]]
}
enum "fed30-dvm" as fedora_dvm {
{static} TemplateVM <fed30>
enum "fed30-dvm" as fedora_dvm {
{static} TemplateVM <fed30>
{static} NetVM <sys-whonix>
}
......@@ -304,22 +304,22 @@ class "work-social" as work_social {
}
class "work-gpg-vault" as work_gpg_vault {
{static} TemplateVM < ??? >
{static} TemplateVM <fed30-gpg-vault>
{static} NetVM <none>
}
class "work-ssh-vault" as work_ssh_vault {
{static} TemplateVM <fed30-ssh-vault>
{static} TemplateVM <fed30-ssh-vault>
{static} NetVM <none>
}
class "backup-vault" as backup_vault {
{static} TemplateVM <fed30>
{static} TemplateVM <fed30>
{static} NetVM <none>
}
class "pw-vault" as pw_vault {
{static} TemplateVM <fed30>
{static} TemplateVM <fed30>
{static} NetVM <none>
}
......@@ -335,7 +335,7 @@ rectangle << Debian >> {
interface "debian-10" as debian
abstract "deb10-ws" as debian_ws {
abstract "deb10-ws" as debian_ws {
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#emacs Emacs]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#rust Rust]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#python-3 Python3]]
......@@ -343,6 +343,7 @@ abstract "deb10-ws" as debian_ws {
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#gdb GDB]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#radare-2 Radare 2]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#libreoffice LibreOffice]]
{method} -nmap
}
abstract "deb10-email" as debian_email {
......@@ -374,6 +375,7 @@ abstract "ubu18-ws" as ubuntu_ws {
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#gdb GDB]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#radare-2 Radare 2]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#libreoffice LibreOffice]]
{method} -nmap
}
}
......@@ -392,6 +394,11 @@ interface "fedora-30" as fedora
abstract "fed30-ssh-vault" as fedora_ssh_vault {
{field} qubes-rpc qubes.SshAgent
{method} -nmap
}
abstract "fed30-gpg-vault" as fedora_gpg_vault {
{method} -qubes-gpg-split
}
}
......@@ -422,11 +429,12 @@ debian <.. debian_email
debian <.. debian_social
fedora <.. fedora_ssh_vault
fedora <.. fedora_gpg_vault
ubuntu <.. ubuntu_ws
#+end_src
#+RESULTS[84c02af19b5b3641f9f85abaedce28e45200de11]:
#+RESULTS[c2567d1ef280c0f150b6e389f16da7f334cf0aa0]:
[[file:img/Qubes-VM-architecture.svg]]
* TODO Custom VMs
......@@ -435,7 +443,7 @@ Creating custom virtual machines for QubesOS for Ubuntu and Windows.
** TODO Ubuntu
Recreate this guide (and rebuild default template):
Recreate this guide (and rebuild default template):
https://blockforums.org/topic/310-guide-to-installing-qbuntu-ubuntu-1804-bionic-templatevm-in-qubes-402-rc1-more-screenshots/
** Windows VM
......@@ -514,7 +522,7 @@ Test the VPN service initializes using =sudo openvpn --config /etc/openvpn/local
Verify the service status using =sudo systemctl status openvpn@local_profile= and checking one's public IP using =wget --secure-protocol=PFS --https-only -qO- checkip.dyndns.org=.
* TODO Setup Split SSH
* Split SSH
In Qubes OS, ssh keypairs can be split between the =private key location= (an offline AppVM) and users (any other AppVM, such as a development VM). I have a separate /ssh-vault/ for each ssh keypair. In this section I demonstrate setting up split ssh for my ByteCache development VM, =bytecache-dev=.
......@@ -522,7 +530,7 @@ First, clone the latest Fedora TemplateVM, naming it /fed30-ssh-vault/. Temporar
#+BEGIN_SRC sh
sudo dnf install nmap-ncat -y && \
bash -c 'cat <<EOT >> ~/etc/qubes-rpc/qubes.SshAgent
bash -c 'cat <<EOT >> /etc/qubes-rpc/qubes.SshAgent
#!/bin/sh
notify-send "[`qubesdb-read /name`] SSH agent access from: $QREXEC_REMOTE_DOMAIN"
ncat -U $SSH_AUTH_SOCK'
......@@ -534,22 +542,25 @@ On the =bytecache-ssh-vault= AppVM, create an ssh-key, and update the config. Al
#+BEGIN_SRC sh
ssh-keygen -t ed25519 -C "sentry@bytecache.io" -f "$HOME"/.ssh/id_rsa -N '' && \
ssh-add && \
bash -c 'cat <<EOT >> ~/.ssh/config
VisualHostKey=yes
LogLevel=VERBOSE
EOT' && \
bash -c 'cat <<EOT >> ~user/.config/autostart/ssh-add.desktop
mkdir ~user/.config/autostart && \
bash -c 'cat <<EOT >> ~user/.config/autostart/ssh-add.desktop
[Desktop Entry]
Name=ssh-add
Exec=ssh-add
Type=Application'
Type=Application
EOT'
#+END_SRC
On =dom0=, add a policy for the ssh agent.
#+BEGIN_SRC sh
echo "bytecache-dev bytecache-ssh-vault ask" > /etc/qubes-rpc/policy/qubes.SshAgent
echo "bytecache-dev bytecache-ssh-vault ask,default_target=bytecache-ssh-vault" > /etc/qubes-rpc/policy/qubes.SshAgent
#+END_SRC
Now from =bytecache-dev=, perform the following steps.
......@@ -561,24 +572,46 @@ sudo bash -c 'cat <<EOT >> /rw/config/rc.local
SSH_VAULT_VM="bytecache-ssh-vault"
if [ "\$SSH_VAULT_VM" != "" ]; then
export SSH_SOCK=/home/user/.SSH_AGENT_\$SSH_VAULT_VM
rm -f "\$SSH_SOCK"
sudo -u user /bin/sh -c "umask 177 && ncat -k -l -U '"'"'\$SSH_SOCK'"'"' -c '"'"'qrexec-client-vm \$SSH_VAULT_VM qubes.SshAgent'"'"' &"
export SSH_SOCK=/home/user/.SSH_AGENT_\$SSH_VAULT_VM
rm -f "\$SSH_SOCK"
sudo -u user /bin/sh -c "umask 177 && ncat -k -l -U '"'"'\$SSH_SOCK'"'"' -c '"'"'qrexec-client-vm \$SSH_VAULT_VM qubes.SshAgent'"'"' &"
fi
EOT' && \
sudo bash -c 'cat <<EOT >> ~/.bashrc
sudo bash -c 'cat <<EOT >> ~/.bashrc
# For split SSH
SSH_VAULT_VM="bytecache-ssh-vault"
if [ "\$SSH_VAULT_VM" != "" ]; then
export SSH_AUTH_SOCK=~user/.SSH_AGENT_\$SSH_VAULT_VM
export SSH_AUTH_SOCK=~user/.SSH_AGENT_\$SSH_VAULT_VM
fi
EOT'
#+END_SRC
Then restart =bytecache-dev=.
Then restart =bytecache-ssh-vault= and =bytecache-dev=. I repeat these steps for each set of SSH keys, and AppVM users (e.g., for work).
* TODO Split GPG
Split GPG is /officially/ supported by Qubes OS, so the implementation is more automated. Again, I setup separate domains for each set of GPG key.
Start by installing the =qubes-gpg-split= package on =dom0=.
#+BEGIN_SRC sh
sudo qubes-dom0-update qubes-gpg-split-dom0
#+END_SRC
Create a new template, =fed30-gpg-vault=, a clone from the =fedora-30= template. Then install gpg-split there as well.
#+BEGIN_SRC sh
sudo dnf install qubes-gpg-split
#+END_SRC
Create a new AppVM, =bytecache-gpg-vault= from the =fed30-gpg-vault= template to store the private keys, then create them.
#+BEGIN_SRC sh
...
#+END_SRC
* TODO Install software
** TODO Wazuh Agent - Endpoint Security
......@@ -662,7 +695,7 @@ sudo add-apt-repository -y ppa:kelleyk/emacs && \
sudo apt update && sudo apt install -y emacs26
#+END_SRC
** LibreOffice
** LibreOffice
Install LibreOffice on Debian.
......@@ -707,18 +740,18 @@ First install =node.js= and =npm=.
#+BEGIN_SRC sh
cd /tmp && \
sudo apt install -y curl && \
curl -sL https://deb.nodesource.com/setup_10.x -o nodesource_setup.sh && \
sudo bash nodesource_setup.sh && \
sudo apt install nodejs
sudo apt install -y curl && \
curl -sL https://deb.nodesource.com/setup_10.x -o nodesource_setup.sh && \
sudo bash nodesource_setup.sh && \
sudo apt install nodejs
#+END_SRC
Install the =Solidity= compiler and =Geth=.
#+BEGIN_SRC sh
sudo add-apt-repository -y ppa:ethereum/ethereum && \
sudo apt update && \
sudo apt install -y solc ethereum
sudo apt update && \
sudo apt install -y solc ethereum
#+END_SRC
Finally, install =Truffle=, =Ganache=, and the =Solium= linter.
......@@ -764,9 +797,9 @@ Install Zoom on Fedora.
#+BEGIN_SRC sh
sudo dnf install -y ibus-m17n libXScrnSaver && \
cd /tmp && \
wget --https-only --secure-protocol=PFS https://zoom.us/client/latest/zoom_x86_64.rpm && \
sudo dnf localinstall -y zoom_x86_64.rpm
cd /tmp && \
wget --https-only --secure-protocol=PFS https://zoom.us/client/latest/zoom_x86_64.rpm && \
sudo dnf localinstall -y zoom_x86_64.rpm
#+END_SRC
** Element
......@@ -787,8 +820,8 @@ Install Slack on Fedora.
#+BEGIN_SRC sh
cd /tmp && \
wget --https-only --secure-protocol=PFS https://downloads.slack-edge.com/linux_releases/slack-4.11.3-0.1.fc21.x86_64.rpm && \
sudo dnf localinstall -y slack-4.11.3-0.1.fc21.x86_64.rpm
wget --https-only --secure-protocol=PFS https://downloads.slack-edge.com/linux_releases/slack-4.11.3-0.1.fc21.x86_64.rpm && \
sudo dnf localinstall -y slack-4.11.3-0.1.fc21.x86_64.rpm
#+END_SRC
** TODO Cell Phone Utilities
......@@ -801,4 +834,3 @@ cd ~/ && \
sudo unzip platform-tools-latest-linux.zip -d /etc/ && rm platform-tools-latest-linux.zip && \
export PATH="/etc/platform-tools:$PATH"
#+END_SRC
This source diff could not be displayed because it is too large. You can view the blob instead.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment