From 09bb64f6526aa66da031e3fa2316732d4a1ea802 Mon Sep 17 00:00:00 2001
From: Ben Grande <ben.grande.b@gmail.com>
Date: Thu, 13 Jun 2024 15:45:37 +0200
Subject: [PATCH] feat: SSH proxy in Qubes for offline clients

---
 files/ssh/.ssh/config               | 17 +++++++++++++++--
 files/ssh/.ssh/control.d/.gitignore |  0
 2 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 files/ssh/.ssh/control.d/.gitignore

diff --git a/files/ssh/.ssh/config b/files/ssh/.ssh/config
index 203d663..a536cc9 100644
--- a/files/ssh/.ssh/config
+++ b/files/ssh/.ssh/config
@@ -1,7 +1,9 @@
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
+# vim: ft=sshconfig
 
+## Security configuration is enforced.
 Host *
         ## Distrust the remote
         ForwardX11 no
@@ -19,6 +21,17 @@ Host *
         Ciphers aes256-gcm@openssh.com
         MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
 
+## Load host configuration.
 UserKnownHostsFile ~/.ssh/known_hosts.d/%k.host ~/.ssh/known_hosts.d/%h.host
 Include ~/.ssh/config.d/*.conf
-# vim: ft=sshconfig
+
+## Recommended configuration at last.
+Host *
+        ## Connectivity
+        ControlMaster auto
+        ControlPath ~/.ssh/control.d/%r@%h:%p
+        ControlPersist 60s
+
+## Only try fancy Qubes proxy if qube has compatible service enabled.
+Match Exec "test -f /var/run/qubes-service/qusal-proxy-client"
+        ProxyCommand qrexec-client-vm @default qusal.ConnectTCP+%h+%p
diff --git a/files/ssh/.ssh/control.d/.gitignore b/files/ssh/.ssh/control.d/.gitignore
new file mode 100644
index 0000000..e69de29