MirageOS, Split SSH, Docker fixes, and minor updates

Signed-off-by: tommytran732 <contact@tommytran.io>

dom0.sh

@@ -16,9 +16,12 @@ qvm-service --enable work qubes-u2f-proxy
 
 echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment
 
-#Obviously replace vault-gpg with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/
+#Obviously replace vault with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/
 echo "emails  vault allow" | sudo tee /etc/qubes-rpc/policy/qubes.Gpg
-echo "@anyvm  @anyvm  ask,default_target=vault-gpg" | sudo tee -a /etc/qubes-rpc/policy/qubes.Gpg
+echo "@anyvm  @anyvm  ask,default_target=vault" | sudo tee -a /etc/qubes-rpc/policy/qubes.Gpg
+
+#Same thing, but for split SSH. No default allow here because here though because there will not be a timeout or anything like that. 
+echo "@anyvm  @anyvm ask,default_target=vault" | sudo tee /etc/qubes-rpc/policy/qubes.SshAgent
 
 #Enabling VMAuth - if you want to get the prompt you will still need to configure the guest VMs tho
 echo "/usr/bin/echo 1" | sudo tee /etc/qubes-rpc/qubes.VMAuth

fedora-minimal/sys-firewall.sh

@@ -1,3 +1,4 @@
 #!/bin/bash
 
+#This is a bit meh, use MiargeOS instead if you can.
 sudo dnf install -y qubes-core-agent-networking qubes-core-agent-dom0-updates

fedora/development-appvm.sh

@@ -1,8 +0,0 @@
-#!/bin/bash
-
-#Run this in the appVM
-sudo mkdir -p /etc/qubes-bind-dirs.d
-sudo tee /etc/qubes-bind-dirs.d50_user.conf << EOF > /dev/null
-binds+=( '/var/lib/docker' )
-binds+=( '/etc/docker' )
-EOF

fedora/development.sh

@@ -9,4 +9,10 @@ sudo dnf config-manager --add-repo https://download.docker.com/linux/fedora/dock
 sudo dnf install docker-ce docker-compose-plugin github-desktop code java-latest-openjdk hugo
 sudo systemctl enable --now docker
 sudo usermod -aG docker $USER
-newgrp docker
+newgrp docker
+
+sudo mkdir -p /etc/qubes-bind-dirs.d
+sudo tee /etc/qubes-bind-dirs.d50_user.conf << EOF > /dev/null
+binds+=( '/var/lib/docker' )
+binds+=( '/etc/docker' )
+EOF

fedora/games.sh

@@ -3,4 +3,4 @@
 echo "color-scheme='prefer-dark'" | sudo tee -a /etc/dconf/local.d/custom
 sudo dconf update
 
-sudo dnf install -y gnome-chess gnome-2048
+sudo dnf install -y gnome-chess gnome-2048 gnome-mines

fedora/sysadmin-AppVM.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+#Run this in an AppVM, not a TemplateVM
+
+echo '# SPLIT SSH CONFIGURATION >>>
+# replace "vault" with your AppVM name which stores the ssh private key(s)
+SSH_VAULT_VM="vault"
+
+if [ "$SSH_VAULT_VM" != "" ]; then
+  export SSH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM"
+  rm -f "$SSH_SOCK"
+  sudo -u user /bin/sh -c "umask 177 && exec socat 'UNIX-LISTEN:$SSH_SOCK,fork' 'EXEC:qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent'" &
+fi
+# <<< SPLIT SSH CONFIGURATION' | sudo tee -a /rw/config/rc.local
+
+echo '# SPLIT SSH CONFIGURATION >>>
+# replace "vault" with your AppVM name which stores the ssh private key(s)
+SSH_VAULT_VM="vault"
+
+if [ "$SSH_VAULT_VM" != "" ]; then
+  export SSH_AUTH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM"
+fi
+# <<< SPLIT SSH CONFIGURATION' | tee -a ~/.bashrc

fedora/vault.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+echo '#!/bin/sh
+# Qubes App Split SSH Script
+
+# Activate GPG Agent and set the correct SSH socket
+export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+gpgconf --launch gpg-agent
+
+# safeguard - Qubes notification bubble for each ssh request
+notify-send "[$(qubesdb-read /name)] SSH agent access from: $QREXEC_REMOTE_DOMAIN"
+
+# SSH connection
+socat - "UNIX-CONNECT:$SSH_AUTH_SOCK"' | sudo tee /etc/qubes-rpc/qubes.SshAgent
+
+sudo chmod +x /etc/qubes-rpc/qubes.SshAgent

mirageos/README.md

@@ -0,0 +1,5 @@
+# MirageOS
+
+This is my own build of MirageOS 3.10. As of this writing, the Dockerfile on the main branch of Mirage is broken, so the SHA256SUm will not match with what they have officially.
+
+The SHA256Sum of this build is `0342f3a1c450cfa46de07d3f3181afd1cd4d17d731bfe3b022eec35009539416`.