Qubes OS dom0 files workflow using fossil

Comment on Mastodon

Introduction

Since I'm using Qubes OS, I always faced an issue; I need a proper tracking of the configuration files for my systemthis can be done using Salt as I explained in a previous blog post. But what I really want is a version control system allowing me to synchronize changes to a remote repository (it's absurd to backup dom0 for every change I make to a salt file). So far, git is too complicated to achieve that.

I gave a try with fossil, a tool I like (I wrote about this one too ;) ), and it was surprisingly easy to setup remote access leveraging Qubes'qvm-run.

In this blog post, you will learn how to setup a remote fossil repository, and how to use it from your dom0.

Previous article about Fossil cheatsheet

Repository creation

On the remote system where you want to store the fossil repository (it's a single file), run `fossil init my-repo.fossil`.

The only requirement for this remote system is to be reachable over SSH by an AppVM in your Qubes OS.

dom0 clone

Now, we will clone this remote repository in our dom0, I'm personnally fine with storing such files in `/root/` directory.

In the following example, the file `my-repo.fossil` was created on the machine `10.42.42.200` with the path `/home/solene/devel/my-repo.fossil`. I'm using the AppVM `qubes-devel` to connect to the remote host using SSH.

[root@dom0 ~#] fossil clone --ssh-command "qvm-run --pass-io --no-gui -u user qubes-devel 'ssh'" ssh://10.42.42.200://home/solene/devel/my-repo.fossil /root/my-repo.fossil

This command clone a remote fossil repository by piping the SSH command through qubes-devel AppVM, allowing fossil to reach the remote host.

Cool fact with fossil's clone command, it keeps the proxy settings, so no further changes are required.

With a Split SSH setup, I'm asked everytime fossil is synchronizing; by default fossil has "autosync" mode enabled, for every commit done the database is synced with the remote repository.

Open the repository (reminder about fossil usage)

As I said, fossil works with repository files. Now you cloned the repository in `/root/my-repo.fossil`, you could for instance open it in `/srv/` to manage all your custom changes to the dom0 salt.

This can be achieved with the following command:

[root@dom0 ~#] cd /srv/
[root@dom0 ~#] fossil open --force /root/my-repo.fossil

The `--force` flag is needed because we need to open the repository in a non-empty directory.

Conclusion

Finally, I figured a proper way to manage my dom0 files, and my whole host. I'm very happy of this easy and reliable setup, especially since I'm already a fossil user. I don't really enjoy git, so demonstrating alternatives working fine always feel great.

If you want to use Git, I have a hunch that something could be done using `git bundle`, but this requires some investigation.