I am looking to set up “block all but whitelist” per vm in sys-pihole. Per the pihole documentation, it can be achieved using ip address of pihole clients. For this to work in qubes saltstack, one should be able to either assign ip address for a vm during creation or at least get ip address of a vm in saltstack (provided the ip address are static for the vm). Any one know how to assign ip address to a vm in saltstack?
IP addresses are always static per qube, and are assigned at creation.
You could access in jinja like this:
salt['cmd.shell'](' qubesdb-read /qubes-ip -d QUBE ' )
Or get the value of the 'ipv4` grain from the qube.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
1 Like
Thank you. I have to run the whitelist scripts in sys-pihole which means I have to provide target=sys-pihole while running the saltstack scripts. However to get ip address looks like I have to run the command on the client vm. Is there any way to get ip address of client vm and pass it on to the script that needs to run in sys-pihole?
Edit: I see that that the command qubesdb-read /qubes-ip -d QUBE can be run from dom0. But the question remains, how do I run a command in dom0 and pass the output to the script that should be run in sys-pihole in saltstack.
I was able to achieve this using qrexec. sys-pihole has a rpc script user.GroupManagement which accept group name as parameter and will read ip address from stdin.
The saltstack will run on dom0, the first step is to get ip address using the command provided by @unman in previous post qubesdb-read /qubes-ip -d QUBE. The second step is to run user.GroupManagement+GroupName and send the std in parameter using <<<
qvm-run --pass-io --service sys-pihole user.GroupManagement+GroupName <<< 'a.b.c.d'
I still would like to make one improvement to it. In order to run qubesdb-read /qubes-ip QUBE the qube has to be running. However, I see ip address of a qube in the qube-manager UI even when the qube is turned off. Anyone knows how does qube-manager finds ip address of a qube even when its turned off?
The command qvm-prefs --get QUBE ip would return ip address even when the QUBE is turned off.