genderphasing

fy gosodiad grhwydwaith qiwbs

mae dewis, yn wir!

hwyl: digon daawgrym

i've previously talked about qubes, and in that post i promised:

full technical details in a future post! it used to be in this aside but it got waaaay too long.

so… here's the full technical details!

setup

first i created a new template, just for my netvms. i called it (watch out, this is inspired) net-dvm.

that vm is just a clone of the usual netvm template, but with this script at /rw/config/rc.local, so it'll run with the vm boots: 

#!/bin/sh
set -uo pipefail
exec >/tmp/rc.log 2>&1
echo 'rc.local started'

nm_wifi() {
  echo 'Qube is configured for WiFi! Waiting for device...'
  sleep 5
  while ! nmcli device wifi list --rescan yes; do
    sleep 1
    echo 'Trying again...'
  done

  i=1
  while name="$(qubesdb-read /vm-config/wifi-"$i"-name 2>/dev/null)"; do
    echo "Trying to connect to $name... "
    if ! pass="$(qubesdb-read -r /vm-config/wifi-"$i"-pass 2>/dev/null)"; then
      echo 'No password set!'
    elif nmcli d wifi connect "$name" password "$pass"; then
      echo 'OK!'
    else
      echo 'Failed!'
    fi
    i=$((i+1))
  done
}

nm_vpn() {
  echo 'Qube is configured for VPNs!'
  i=1
  while type="$(qubesdb-read /vm-config/vpn-"$i"-type 2>/dev/null)"; do
    echo "Trying to add VPN #$i ($type)..."
    if ! qubesdb-read -r /vm-config/vpn-"$i"-cfg >/tmp/vpn-"$i".conf; then
      echo 'No config set!'
    elif nmcli c import type "$type" file /tmp/vpn-"$i".conf; then
      echo 'OK!'
    else
      echo 'Failed!'
    fi
    i=$((i+1))
  done
}

if [ -f /var/run/qubes-service/network-manager ]; then
  echo 'NetworkManager is enabled, waiting for it...'
  while ! systemctl is-active NetworkManager; do
    sleep 1
  done

  if qubesdb-read /vm-config/wifi-1-name; then
    nm_wifi
  else
    echo 'WiFi not configured, skipping.'
  fi

  if qubesdb-read /vm-config/vpn-1-type; then
    nm_vpn
  else
    echo 'VPNs not configured, skipping.'
  fi
  else
  echo 'NetworkManager not enabled, skipping.'
fi

and that's it!

yeah, no, setting this up was easy. granted, i haven't tested it on other machines, but networkmanager's promise is that it'll just work™ so obviously that must be true, right? right?

usage

the way the script actually works is by iterating over the qube's "vm features", a slick little configuration system that qubes uses to set things like a vm's name, keyboard layout, etc. but you can actually set arbitrary values under the vm-config key, and that's exactly how you use the script! 

echo -n 'SSID: '
qvm-features sys-vpn vm-config.wifi-1-name "$(read -r v; echo "$v")"
echo -n 'Password: '
qvm-features sys-vpn vm-config.wifi-1-pass "$(read -r v; echo "$v")"

to set up multiple wifi networks, just re-run those commands but replace wifi-1 with wifi-2.

vms are basically the same, but the config file is… a whole file, so instead of retyping it, you should copy the file's contents to your global clipboard, then take advantage of the clipboard contents being in /run/qubes/qubes-clipboard.bin: 

echo -n 'SSID: '
qvm-features sys-vpn vm-config.wifi-1-name "$(read -r v; echo "$v")"
echo 'Copy your config file to your global clipboard, BUT DO NOT PASTE IT, and then hit enter.'
qvm-features sys-vpn vm-config.wifi-1-pass "$(read -r v; cat /run/qubes/qubes-clipboard.bin)"

future work

there are two really big features i wish this had, but which aren't big enough deals (individually or together) to make me want to implement them:

first, i wish this had auto-refresh. i would like it to automatically connect to (and disconnect from) networks that are added (or removed). as it stands i need to reboot sys-net to apply changes – but i also don't often need to add new wifi networks, so it's not a huge deal for me.

second, it's kind of a bear to work with, and limited to boot. a better option would be using the actual networkmanager config files, but i cannot for the life of me figure out how to make them work! networkmanager just refuses to read them on boot for some reason, and nothing in the docs or logs says what i'm doing wrong, so i have to prod it with the cli instead. but that works, and is stable, so… eh, good enough.

if you have a custom qubes networking setup, you should tell me, so i can steal your hard work re-use your existing tech!