On Wed, Oct 17, 2018 at 01:08:26PM +0200, Johannes Graumann wrote:
> Gentlepeople,
>
> I have a conceptual question regarding a sensible layout of VMs and
> networking in the context of aiming at a qubes instance fully managed
> by scripting (salt or ansible, or shell, or ...).
>
> How would you set up a system that a) allows to automatedly configure
> qubes from dom0 (or even better a dedicated management VM) and b)
> allows for tracking of the scripting infrastructure using git and a
> github account (taking care of script integrity using gpg signing)?
>
> Direct network access of dom0 or the dedicated management VM is a bad
> idea, so how to solve this? put the git repo on a device shared
> temporarily with a dedicated networked VM that is only used for
> pushing/pulling?
>
> Thank you for any insight into how to manage such a setup.
>
> Sincerely, Joh
Have you looked at
https://www.qubes-os.org/news/2017/06/27/qubes-admin-api ?
It's clearly envisaged there that the management VM could have internet
access.
If you weren't happy with that you could have a disposableVM pulling from
git, validating with split-gpg. Pull into offline managementVM using
qrexec and validate again. Then apply.
Keeping salt and supporting files in git is definitely the way to go.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20181017163644.3obzk3vwmcj23se2%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.
