This is not entirely qubes specific, but I use Obsidian which is like a Journal app. Unfortunately, they only have appimages for linux distros. Every note i create in obsidian is saved locally which i like. I have a seperate appvm for this with network access set to off… However, I make notes everyday and I would like to have a cloud back up just in case however, I dont want to give the obisidan app network access.
Copying notes to a network enabled appvm everytime i want to sync seems a bit cumbersome. Some other forums suggested I use firejail to restrict network access to obsidian appimage. How would you guys approach this problem?
You could set this in the GUI tool.
Depending on your level of paranoia this might not be sufficient (leaves
icmp and dns open). In that case you will want to use qvm-firewall in
dom0:
Once you have set the restriction in the GUI, run qvm-firewall OBSIDIAN_QUBE
You will see the accept rule for the remote backup, and other rules
for dns and icmp: note the rule numbers, probably 2 and 3.
Delete these with qvm-firewall OBSIDIAN_QUBE del --rule-no=3 and qvm-firewall OBSIDIAN_QUBE del --rule-no=2
Run qvm-firewall OBSIDIAN_QUBE again to confirm you have an accept
rule to the backup followed by a drop rule.
On the other hand, using an intermediate network connected qube is
pretty straightforward. You could use a named disposable for this
purpose, or a standard disposable. (Set any log on credentials
for the remote server in the disposable template.)
A simple script like this in dom0 would do:
#!/usr/bin/bash
qvm-run OBSIDIAN_QUBE 'qvm-copy-to-vm TRANSFER NOTE_DIR'
qvm-run TRANSFER 'rsync QubesIncoming/OBSIDIAN_QUBE/NOTE_DIR/* REMOTE_SERVER:/REMOTE_NOTE_DIR'
qvm-shutdown TRANSFER
Or you could use syncthing or rsync over qrexec to have a backup qube,
and syncthing from there to the remote server.
Many possibilities.
I use zpaqfranz to generate archives, and rsync them to remote servers -
usually linked to a keyboard shortcut. But you could easily set up a
launcher, if that’s what you like.