About me: My name is Solène Rapenne, pronouns she/her. I like learning and sharing knowledge. Hobbies: '(BSD OpenBSD Qubes OS Lisp cmdline gaming security QubesOS internet-stuff). I love percent and lambda characters. OpenBSD developer solene@. No AI is involved in this blog.

Contact me: solene at dataswamp dot org or @solene@bsd.network (mastodon).

I'm a freelance OpenBSD, FreeBSD, Linux and Qubes OS consultant, this includes DevOps, DevSecOps, technical writing or documentation work. If you enjoy this blog, you can sponsor my open source work financially so I can write this blog and contribute to Free Software as my daily job.

Qubes OS dom0 files workflow using fossil

Written by Solène, on 04 June 2023.
Tags: #qubesos #fossil

Comments on Fediverse/Mastodon

1. Introduction §

Since I'm using Qubes OS, I always faced an issue; I need a proper tracking of the configuration files for my systemthis can be done using Salt as I explained in a previous blog post. But what I really want is a version control system allowing me to synchronize changes to a remote repository (it's absurd to backup dom0 for every change I make to a salt file). So far, git is too complicated to achieve that.

I gave a try with fossil, a tool I like (I wrote about this one too ;) ), and it was surprisingly easy to setup remote access leveraging Qubes'qvm-run.

In this blog post, you will learn how to setup a remote fossil repository, and how to use it from your dom0.

Previous article about Fossil cheatsheet

2. Repository creation §

On the remote system where you want to store the fossil repository (it's a single file), run fossil init my-repo.fossil.

The only requirement for this remote system is to be reachable over SSH by an AppVM in your Qubes OS.

3. dom0 clone §

Now, we will clone this remote repository in our dom0, I'm personnally fine with storing such files in /root/ directory.

In the following example, the file my-repo.fossil was created on the machine 10.42.42.200 with the path /home/solene/devel/my-repo.fossil. I'm using the AppVM qubes-devel to connect to the remote host using SSH. 

[root@dom0 ~#] fossil clone --ssh-command "qvm-run --pass-io --no-gui -u user qubes-devel 'ssh'" ssh://10.42.42.200://home/solene/devel/my-repo.fossil /root/my-repo.fossil

This command clone a remote fossil repository by piping the SSH command through qubes-devel AppVM, allowing fossil to reach the remote host.

Cool fact with fossil's clone command, it keeps the proxy settings, so no further changes are required.

With a Split SSH setup, I'm asked everytime fossil is synchronizing; by default fossil has "autosync" mode enabled, for every commit done the database is synced with the remote repository.

4. Open the repository (reminder about fossil usage) §

As I said, fossil works with repository files. Now you cloned the repository in /root/my-repo.fossil, you could for instance open it in /srv/ to manage all your custom changes to the dom0 salt.

This can be achieved with the following command: 

[root@dom0 ~#] cd /srv/
[root@dom0 ~#] fossil open --force /root/my-repo.fossil

The --force flag is needed because we need to open the repository in a non-empty directory.

5. Conclusion §

Finally, I figured a proper way to manage my dom0 files, and my whole host. I'm very happy of this easy and reliable setup, especially since I'm already a fossil user. I don't really enjoy git, so demonstrating alternatives working fine always feel great.

If you want to use Git, I have a hunch that something could be done using git bundle, but this requires some investigation.