https://getmonero.org/resources/user-guides/cli_wallet_daemon_isolation_qubes_whonix.html is missing how to actually use it.
I guess it is simply: run `monero-wallet-cli` or monero gui in monero-wallet-ws." 0xB44EFD8751077F97: > Patrick Schleizer: >> I didn't notice this thread until now. >> >> Interesting! >> >> Now reference here: >> https://www.whonix.org/wiki/Monero >> >> >> I am wondering how to save users from as many manual steps as possible. >> >> >> To save users from having to edit /rw/config/rc.local... >> >>> socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm >> monerod-ws user.monerod" >> >> Could maybe replaced by file: >> >> /etc/anon-ws-disable-stacked-tor.d/40_monero.conf >> >> content: >> >> $pre_command socat TCP-LISTEN:18081,fork,bind=127.0.0.1 >> EXEC:"qrexec-client-vm monerod-ws user.monerod" >> >> Should work after reboot (or after "sudo systemctl restart >> anon-ws-disable-stacked-tor"). >> >> Untested. >> >> Reference: >> https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf >> > > Tested, works on Whonix 14/Qubes 4.0. > > Would you consider shipping this as a default Whonix file, or maybe part > of a package? In package https://github.com/Whonix/qubes-whonix when using socket activation, yes. Similar to: - https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/lib/systemd/system/anon-ws-disable-stacked-tor_autogen_port_9050.socket - https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/lib/systemd/system/anon-ws-disable-stacked-tor_autogen_port_9050.service File name should not contain "anon-ws-disable-stacked-tor" / "autogen". File names...? /lib/systemd/system/qubes-whonix-monerod.socket /lib/systemd/system/qubes-whonix-monerod.service Replace "ExecStart=/lib/systemd/systemd-socket-proxyd 10.152.152.10:9050" with: socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm monerod-ws user.monerod" Untested. Does that work? Would this break monerod for users not using this Monero wallet/daemon isolation? I mean, does monerod use local port 18081 by default? In that case we'd need to change that port. > If not, the user will have to put this on the TemplateVM > or config bind-dirs; which are both additional steps. >> >> >> /etc/qubes-rpc/policy/user.monerod could maybe become: >> /etc/qubes-rpc/policy/whonix.monerod >> >> To have users from manually creating it, could be dropped here: >> >> https://github.com/QubesOS/qubes-core-admin-addon-whonix/tree/master/qubes-rpc-policy >> >> If you like, create a pull request and see what Marek thinks. >> > > This would be useful. It's on my radar. > >> >> >> /home/user/monerod.service would be better in /rw so only root can write >> to it. Even better perhaps systemd user services? >> >> https://www.brendanlong.com/systemd-user-services-are-amazing.html >> >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820111 >> >> > > Interesting, I didn't know about this. I don't see how moving the file > from /home/user/ to /home/user/.config/systemd/user is more secure, > though. > I think moving it to /rw may be slightly better, but > passwordless sudo kind of negates that. Indeed only useful for users of these: - https://www.qubes-os.org/doc/vm-sudo/ - https://github.com/tasket/Qubes-VM-hardening Qubes-VM-hardening will be easily available one day probably. https://github.com/QubesOS/qubes-issues/issues/2748 I guess password protected sudo will get more and more easy in Qubes so very much worth going for proper access rights. > The best would be to put it on the TemplateVM in /lib/systemd/system/, > but, again, this is more steps for the user. > > In regards to monero being in stretch-backports now, I think it might be > an equal number of steps or more than there is now, and more confusing > for the user, to add stretch-backports to the TemplateVM's sources and > install via apt. If it were in stretch this would be no question. > And only monerod is in Debian. monero gui is not. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/66b6ac66-17dc-64a2-b547-54246de0c46b%40whonix.org. For more options, visit https://groups.google.com/d/optout.