-
-
Notifications
You must be signed in to change notification settings - Fork 710
Qubes and Hybrid
TODO look at Hockeypuck app, there may be more to glean from that
This guide is for two different concerns which intersect: Developing Sandstorm apps on QubesOS, and creating SPK (raw) apps that can also be built with Vagrant SPK. I can't guarantee this will be everything you need to do. You may need to play around with it. But it'll take care of a lot of what will go wrong.
(Given popular demand they can be separated. Dan the author does both at once, so in the interest of time he made one guide.)
One nice benefit of Qubes is that you can keep everything separate. As such you may consider creating a new VM for each Sandstorm project. Though, perhaps this isn't necessary if you use a normal AppVM which wipes the system (everything but home directory) for each restart anyway. I guess this is up to you.
If you do use an AppVM, you'll need to install Sandstorm every time. You'll also need to set up your Qubes user (usually literally called user
) to be able to work with it:
curl https://install.sandstorm.io | bash
sudo usermod -a -G sandstorm user
Now, for whatever reason your Qubes VM won't have the user's group associations with Sandstorm on a normal bash session (if someone can fix this please put it in here! and maybe in a more current version of Qubes they fix it?). So you'll get an error if you try to run spk dev
. To fix this, do:
sudo su user
🤷 At this point you'll start a new shell with your same user, but you'll have the sandstorm
group.
You might want to start by bootstrapping a Vagrant-SPK project. Maybe even on another machine, or maybe copy another project or something. (I haven't thought about how to do it on Qubes as such).
With Vagrant SPK you have your four scripts. global-setup.sh
installs the OS and other Vagrant stuff. For your hybrid setup, your only concern here should be that you have the same version of Debian on the system you're developing on (such as your Qubes VM). build.sh
and sudo setup.sh
can be run manually. Just keep in mind that if they install anything on the system, you'll have to run this every time you start up your VM. launch.sh
is straightforward as usual so long as you have the paths set up properly below.
Here's the real secret. It tripped me up a lot trying to go back and forth between vagrant-spk and spk, getting different stuff in sandstorm-files.list
for either one. You want your app set up at /opt/app
. However, this isn't a very convenient place to do your development. If you're on a Qubes AppVM, this directory will get wiped out every restart. You could probably do this with a Qubes Standalone VM, but maybe you don't want to have a full system just for this.
So I recommend putting your project in your home directory as usual. Can you symlink /opt/app
to your repo? Turns out Sandstorm doesn't like that. What you can do instead is something called a bind mount.
ls /opt/app/ || sudo mkdir /opt/app
ls /opt/app/.sandstorm || sudo mount --bind /home/user/my-cool-app /opt/app
Again, run this every time you start up.
Putting it all together you might want a startup script that looks something like this:
#!/bin/bash
set -exuo pipefail
# don't install twice
id -u sandstorm || curl https://install.sandstorm.io | bash
sudo usermod -a -G sandstorm user
# This part requires that you checked out the repo first
ls /opt/app/ || sudo mkdir /opt/app
ls /opt/app/.sandstorm || sudo mount --bind /home/user/my-cool-app /opt/app
sudo /opt/app/.sandstorm/setup.sh
Note that I tried to make it idempotent so that it could be re-run after any changes to setup. (You might add build if that has sudo stuff in there as well).