 |
Title: Qubes OS dom0 files workflow using fossil |
|
Author: Solène |
|
Date: 04 June 2023 |
|
Tags: qubesos fossil |
|
Description: In this article, you will learn how to manage your Qubes |
|
OS dom0 files in a revision control system, and how to synchronize it. |
|
|
|
# Introduction |
|
|
|
Since I'm using Qubes OS, I always faced an issue; I need a proper |
|
tracking of the configuration files for my systemthis can be done using |
|
Salt as I explained in a previous blog post. But what I really want is |
|
a version control system allowing me to synchronize changes to a remote |
|
repository (it's absurd to backup dom0 for every change I make to a |
|
salt file). So far, git is too complicated to achieve that. |
|
|
|
I gave a try with fossil, a tool I like (I wrote about this one too ;) |
|
), and it was surprisingly easy to setup remote access leveraging |
|
Qubes'qvm-run. |
|
|
|
In this blog post, you will learn how to setup a remote fossil |
|
repository, and how to use it from your dom0. |
|
|
 |
Previous article about Fossil cheatsheet |
|
|
|
# Repository creation |
|
|
|
On the remote system where you want to store the fossil repository |
|
(it's a single file), run `fossil init my-repo.fossil`. |
|
|
|
The only requirement for this remote system is to be reachable over SSH |
|
by an AppVM in your Qubes OS. |
|
|
|
# dom0 clone |
|
|
|
Now, we will clone this remote repository in our dom0, I'm personnally |
|
fine with storing such files in `/root/` directory. |
|
|
|
In the following example, the file `my-repo.fossil` was created on the |
|
machine `10.42.42.200` with the path |
|
`/home/solene/devel/my-repo.fossil`. I'm using the AppVM `qubes-devel` |
|
to connect to the remote host using SSH. |
|
|
|
```command |
|
[root@dom0 ~#] fossil clone --ssh-command "qvm-run --pass-io --no-gui -u user q… |
|
``` |
|
|
|
This command clone a remote fossil repository by piping the SSH command |
|
through qubes-devel AppVM, allowing fossil to reach the remote host. |
|
|
|
Cool fact with fossil's clone command, it keeps the proxy settings, so |
|
no further changes are required. |
|
|
|
With a Split SSH setup, I'm asked everytime fossil is synchronizing; by |
|
default fossil has "autosync" mode enabled, for every commit done the |
|
database is synced with the remote repository. |
|
|
|
# Open the repository (reminder about fossil usage) |
|
|
|
As I said, fossil works with repository files. Now you cloned the |
|
repository in `/root/my-repo.fossil`, you could for instance open it in |
|
`/srv/` to manage all your custom changes to the dom0 salt. |
|
|
|
This can be achieved with the following command: |
|
|
|
```shell |
|
[root@dom0 ~#] cd /srv/ |
|
[root@dom0 ~#] fossil open --force /root/my-repo.fossil |
|
``` |
|
|
|
The `--force` flag is needed because we need to open the repository in |
|
a non-empty directory. |
|
|
|
# Conclusion |
|
|
|
Finally, I figured a proper way to manage my dom0 files, and my whole |
|
host. I'm very happy of this easy and reliable setup, especially since |
|
I'm already a fossil user. I don't really enjoy git, so demonstrating |
|
alternatives working fine always feel great. |
|
|
|
If you want to use Git, I have a hunch that something could be done |
|
using `git bundle`, but this requires some investigation. |
