Script to create appvm to run haveno on qubes

[BrandyJSon]

This script allows a user to easily create a dedicated qube to run haveno. By default it will pull the official repository but can also be used to install unofficial repositories to access mainnet trading. A user can specify to either use a published deb.zip release (check hashes automatically, and signatures if key is supplied) or build from source. The script also does some basic hardening on debian-12-minimal template to protect the user from being de anonymized.

Please let me know if more documentation or detail in the README is necessary.

[BrandyJSon]

Sorry about that, removed haveno-reto in the most recent commit.

[woodser]

@boldsuck had some good feedback he posted in the dev chat:

<b​oldsuck> idk if brandyjson's script need --torControlUseSafeCookieAuth bc torControl port always needs auth.
<b​oldsuck> He should perhaps take a look at my DirectBindTor. Most people don't know that it exists and rework bisq scripts.
<b​oldsuck> In line 291 he has:
<b​oldsuck> qvm-run --pass-io -u root -- whonix-gateway-17 "echo -e 'Sandbox 1\nConnectionPadding 1\n' > /usr/local/etc/torrc.d/50_user.conf"
<b​oldsuck> why not
<b​oldsuck> qvm-run --pass-io -u root -- whonix-gateway-17 "echo -e 'Sandbox 1\nConnectionPadding 1\nHiddenServiceDir /var/lib/tor/haveno_service/1\nHiddenServicePort 9999 "$(qvm-prefs sys-whonix ip)":9999' > /usr/local/etc/torrc.d/50_user.conf"
<b​oldsuck> And leave out all those with Tor ControlPort and onion grater. Just ust default SocksPort:9050
<b​oldsuck> TorControl Port is even more powerful than monerod --rpc-bind-port
<b​oldsuck> I have 'ControlPort 0' on Tor relays. How secure is network traffic between Qubes VM on unsecure OS? idk
<b​oldsuck> Whonix-gateway was able to use clipboard sharing with Host OS per default

[BrandyJSon]

Just updated the script to use boldsuck's suggested method. No more control port access needed.

Additionally I added another script to make it easy for a user to generate a new hidden service address for haveno to utilize.

[woodser]

Feedback from syringes in the haveno chat channel:

I tested the script out on a fresh Qubes installation. I successfully installed and ran retoswap but there were a few bugs.

Fails to restart sys-whonix if VMs are connected. Standard Qubes behavior but is it possible to mimic the restart functions in Qubes Update?

Signature failed multiple times when entered 'https://retoswap.com/reto_public.asc' at the signature prompt but was able to verify the .sig when manually downloaded in a dispvm

Replacing the segment at line 126 with this fixed the issue

if [[ $from_source -eq 1 ]]; then
	log "Downloading haveno release version $version"
	$TPL_ROOT "curl -L  --remote-name-all $HAVENO_REPO/releases/download/$version/{$TARGET_DEB,$TARGET_DEB.sig,$version-hashes.txt}"
	read -p "Enter url to verify signatures or anything else to skip:" key
	if [[ $key =~ $regex ]]; then
		$TPL_ROOT "apt-get install --no-install-recommends gnupg2 -y"
		$TPL_ROOT "gpg2 --fetch-keys $key"
		verify_output=$($TPL_ROOT "gpg2 --verify $TARGET_DEB.sig 2>&1")
	if [[ $verify_output =~ "Good signature" ]]; then
		log "Signature valid, continuing"
	else
		log "Signature invalid, exiting"
		exit 1
	fi

Hardening did not work with tirdad. Even after modifying for the correct repositories and public key an error code 1 occured and stopped the script.
Perhaps comment out tirdad until then?
Also

on line 219 if [ $unhardened ]; then
should be
if [ $unhardened -eq 0 ]; then
Also eventually if anyone would like to make a guide for manual installation. I believe a lot more people would feel comfortable with that rather than running a script in dom0

[boldsuck]

The script looks good, unfortunately I can't test it at the moment.
I've already written it in the Reto SimpleX chat and will ask for testers in the Whonix forum.

@BrandyJSon

Not for this script, just as a hint if useful elsewhere, bc line 104:
read -p "Warning by default 50_user.conf on sys-whonix will be overwritten (baseline is empty

There is an %include function for torrc, e.g:
%include /usr/local/etc/torrc.d/foobar
or from Haveno options, for example:
/opt/haveno/bin/Haveno --torrcOptions=%include /home/user/.local/share/Haveno/torrc.local

The latter is useful for the default Haveno installation (using netlayer/jtorctl) if users want to configure their own tor options, e.g: logging
If you don't use DirectBindTor, Haveno rewrites the torrc in the appDataDir on every restart and therefore direct editing is useless.

[boldsuck]

I tested the script out on a fresh Qubes installation. I successfully installed and ran retoswap but there were a few bugs.

It's nice to hear that it works on Qubes via SocksPort.

Signature failed multiple times when entered 'https://retoswap.com/reto_public.asc' at the signature prompt but was able to verify the .sig when manually downloaded in a dispvm

RetoSwap is on Github. This is probably more of an issue because Github is Tor hostile. I'll ask the arbs if they can upload the key to keys.openpgp.org. Then you can use:
keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion

[BrandyJSon]

Everything mentioned above should be fixed, signature checks & tirdad installation.

I believe this should be ready for merge but feel free to let me know if anything else needs changes.

Edit : syringes pointed out that appVMs wouldn't maintain payment accounts after restarting. Most recent commit (30956ac) has fixed this and also added default behavior to create an appVM.

Edit : Most recent commit fixes appmenu sync issue

Should be completely ready for final review

[boldsuck]

I format the guide until I like it. For Haveno Docu I will of course change the reto installation instructions.
I have pointed out this PR

Whonix Wiki also points out that ZeroNet, OnionShare and Bisq talking to Tor control port is not 'optimal'.
@BrandyJSon I like your script.

Maybe someone will have time to extend DirectBindTor at some point and adds Unix socket support to TCP socket 'SocksPort:9050'. But I have no idea if this is possible with a Java app.

[xyhhx]

discovered this as someone shared it in the qubes os room on matrix.

i was curious about a few things:

for @BrandyJSon:

• why did you choose to offer bash scripts instead of salt states?
• to that end, why not offer rpm packages so these can be installed into a qube using ootb tools?
• nitpick, but why did you choose to format lines like this? they're hard to read
• why not use unix sockets for the socat tunnels?
• why not use more of kicksecure's offerings?
• you should use qubesdb-read /name instead of hostname, as it's less likely to be tampered with in a disaster scenario
• i want to say "why don't you verify the commits of the git repos you're cloning?", but it looks like haveno doesn't even bother to sign their commits lol 🤡
• it might be a better idea to move the git clone and other download commands to a disposable vm and only copy them to the template once they're verified etc
• the template isn't very hardened in my opinion. the only steps you took was installing tirdad and removing a few packages at the end of the installer from the template (including gpg??)
• qubes split-gpg is not configured, which would reduce the chances of compromising your gpg toolchain in the haveno template/appvm

anyway those were just some notes i had after perusing the script

@boldsuck i was wondering about you choice in distro too, if you don't mind

• why are you specifically interested in debian? it is far more out of date than fedora, and fedora has selinux which is more robust than apparmor ah i see they do not offer an rpm package

[boldsuck]

@boldsuck i was wondering about you choice in distro too, if you don't mind

Simply a personal reference. Over 25 years ago, most people in Germany used SuSE Linux & Mandrake in France.
Then the drama began, many commercial ones went bankrupt or were sold: Novell/Microsoft buys Suse, IBM buys RedHeat, CentOS is suddenly discontinued, Oracle buys Sun and what else.

I only use long-lasting community distros (Debian, FreeBSD/HardenedBSD, Gentoo)
Many derivatives come from Debian (Ubuntu, Kali, Tails, Whonix, OpenWRT & Vyatta/VyOS) and there are most books and docu for it. And especially on servers, you want to have security updates for at least 5 years.
If you ever need to upgrade more than 10 servers, 10 laptops and dozens of network devices, a long release cycle & a hassle-free dist upgrade is more important than having the latest software. There are also deb-backports and self-compilation.

Haveno rpm packages are available.

[xyhhx]

fair enough!