save

2025-08-28 17:48:34 +02:00 · 2025-08-28 17:48:34 +02:00 · 93f402b012
commit 93f402b012
parent 764967c8e0
9 changed files with 299 additions and 4 deletions
--- a/bin/recipes/gnome/notes.md
+++ b/bin/recipes/gnome/notes.md
@ -0,0 +1 @@
+sudo apt-get install task-gnome-desktop
--- a/bin/recipes/net/net-up
+++ b/bin/recipes/net/net-up
@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+sudo mkdir -p /etc/systemd/network
+cat <<'EOF' | sudo tee /etc/systemd/network/20-enp0s1.network
+[Match]
+Name=enp0s1
+
+[Network]
+DHCP=yes
+EOF
+
+sudo systemctl enable --now systemd-networkd
+sudo systemctl enable --now systemd-resolved
+
+sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
+
+sudo ip link set enp0s1 up
+sudo networkctl reload
+sudo networkctl reconfigure enp0s1
+
--- a/bin/recipes/net/notes.md
+++ b/bin/recipes/net/notes.md
@ -0,0 +1,16 @@
+# bring the link up
+sudo ip link set enp0s1 up
+
+# give yourself an address in QEMU's usernet
+sudo ip addr add 10.0.2.15/24 dev enp0s1
+
+# default gateway for slirp
+sudo ip route add default via 10.0.2.2
+
+# DNS via slirp (or use 1.1.1.1 if you prefer)
+echo "nameserver 10.0.2.3" | sudo tee /etc/resolv.conf > /dev/null
+
+# sanity checks
+ip -4 a show enp0s1
+ping -c2 10.0.2.2
+ping -c2 deb.debian.org
--- a/bin/recipes/vnc/notes.md
+++ b/bin/recipes/vnc/notes.md
@ -0,0 +1,93 @@
+Here’s what those two pieces typically look like in a QEMU VNC + TLS + SASL setup.
+
+# `/etc/pki/qemu` (TLS x509 creds)
+
+QEMU’s `-object tls-creds-x509,...,dir=/etc/pki/qemu,endpoint=server` expects this directory to hold the server’s cert/key and the CA it should trust for client certs.
+
+Example layout:
+
+```
+/etc/pki/qemu/
+├── ca-cert.pem         # CA cert used to verify client certificates (if verify-peer=yes)
+├── server-cert.pem     # Server certificate (CN should match the host, or use subjectAltName)
+├── server-key.pem      # Private key for server-cert.pem (chmod 600, root-only)
+└── crl.pem             # (optional) Certificate Revocation List
+```
+
+Typical QEMU arg:
+
+```
+-object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes
+-vnc :0,tls-creds=tls0,sasl
+```
+
+Notes:
+
+* `verify-peer=yes` means the VNC client must present a client certificate signed by `ca-cert.pem`. Omit or set `no` if you only want encryption without client certs (and rely on SASL for auth).
+* File names above are the conventional ones QEMU looks for in that dir in server mode.
+* Permissions matter: keep `server-key.pem` readable only by the QEMU user (e.g., `chmod 600`).
+
+(If you wanted the client side for certificate auth, you’d create a *client* bundle with `client-cert.pem` / `client-key.pem` and give the server’s CA to the client.)
+
+# `/etc/sasl2/qemu.conf` (SASL settings)
+
+This file tells Cyrus SASL how to authenticate for the “qemu” service. A simple, local-password (sasldb) setup might be:
+
+```
+# /etc/sasl2/qemu.conf
+mech_list: scram-sha-256 digest-md5
+pwcheck_method: auxprop
+auxprop_plugin: sasldb
+sasldb_path: /etc/sasldb2
+```
+
+What each line does:
+
+* `mech_list`: Which SASL mechanisms to allow. (If your build doesn’t have SCRAM, use `digest-md5` and/or `plain`/`login` — but prefer SCRAM or DIGEST over PLAIN.)
+* `pwcheck_method: auxprop` + `auxprop_plugin: sasldb`: use the local SASL database.
+* `sasldb_path`: where the password DB lives (default is `/etc/sasldb2` on many distros).
+
+Create users in the sasldb:
+
+```bash
+sudo saslpasswd2 -a qemu -c alice
+# (it will prompt for a password)
+sudo sasldblistusers2 -f /etc/sasldb2    # verify entry exists
+```
+
+Then run QEMU with both TLS and SASL:
+
+```bash
+qemu-system-x86_64 \
+  -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=no \
+  -vnc :0,tls-creds=tls0,sasl
+```
+
+* Client connects over **TLS** (encrypted), then is prompted for **SASL username/password** (“alice” and the password you set).
+* If you set `verify-peer=yes`, the client must also present a valid client cert signed by your CA.
+
+## Quick OpenSSL one-liners (for testing)
+
+> For production, use a proper CA workflow and strong key handling.
+
+```bash
+# CA
+openssl genrsa -out ca.key 4096
+openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca-cert.pem -subj "/CN=QEMU Test CA"
+
+# Server cert
+openssl genrsa -out server-key.pem 2048
+openssl req -new -key server-key.pem -out server.csr -subj "/CN=your.host.name"
+openssl x509 -req -in server.csr -CA ca-cert.pem -CAkey ca.key -CAcreateserial -out server-cert.pem -days 825 -sha256
+install -m 600 server-key.pem /etc/pki/qemu/
+install -m 644 server-cert.pem ca-cert.pem /etc/pki/qemu/
+```
+
+## Common pitfalls
+
+* **Wrong filenames/paths** in `/etc/pki/qemu` → QEMU won’t find the certs.
+* **Permissions too open** on `server-key.pem` → QEMU may refuse or it’s a security risk.
+* **SASL mechanism mismatch** → ensure your client supports one from `mech_list`.
+* **No TLS but SASL with PLAIN/LOGIN** → credentials go over the wire unencrypted; always pair PLAIN/LOGIN with TLS.
+
+If you tell me your distro, I can tailor the exact package names (Cyrus SASL modules) and service paths.
--- a/bin/vm
+++ b/bin/vm
@ -31,6 +31,11 @@ OptionParser.new do |opt|
    options.tpm = true
  end

+  opt.on('--shell', 'QEMU process must be detached to exec ssh') do 
+    options.shell = true
+    options.detached = true
+  end
+
  opt.on('--detached') do 
    options.detached = true
  end