qusal/salt/sys-wireguard/install.sls

{#
SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>

SPDX-License-Identifier: AGPL-3.0-or-later
#}

{% if grains['nodename'] != 'dom0' -%}

include:
  - utils.tools.common.update
  - sys-net.install-proxy

"{{ slsdotpath }}-installed":
  pkg.installed:
    - require:
      - sls: utils.tools.common.update
    - install_recommends: False
    - skip_suggestions: True
    - setopt: "install_weak_deps=False"
    - pkgs:
      - qubes-core-agent-networking
      - ca-certificates
      - iproute2
      - resolvconf
      - wireguard
      - unzip
      - curl
      - man-db

"{{ slsdotpath }}-bind-dirs":
  file.managed:
    - name: /etc/qubes-bind-dirs.d/50-{{ slsdotpath }}.conf
    - source: salt://{{ slsdotpath }}/files/server/qubes-bind-dirs.d/50-{{ slsdotpath }}.conf
    - user: root
    - group: root
    - mode: '0644'
    - makedirs: True

"{{ slsdotpath }}-systemd-service":
  file.managed:
    - name: /usr/lib/systemd/system/wg-quick@wireguard.service.d/50_qusal.conf
    - source: salt://{{ slsdotpath }}/files/server/systemd/wg-quick@wireguard.service.d/50_qusal.conf
    - user: root
    - group: root
    - mode: '0644'
    - makedirs: True

"{{ slsdotpath }}-enable-wg-quick@wireguard":
  service.enabled:
    - name: wg-quick@wireguard

{% endif -%}
refactor: initial commit 2023-11-13 09:33:28 -05:00			`{#`
chore: Fix unman copyright contact 2023-11-13 13:18:06 -05:00			`SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>`
chore: copyright update 2024-01-29 10:49:54 -05:00			`SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>`
refactor: initial commit 2023-11-13 09:33:28 -05:00
			`SPDX-License-Identifier: AGPL-3.0-or-later`
			`#}`

			`{% if grains['nodename'] != 'dom0' -%}`

fix: remove extraneous package repository updates Updates happens multiple times, normally 2 to 3, even if we consider a state without includes. On states with multiple includes, it could easily get approximately 10 updates being ran. This behavior leads to unnecessary network bandwidth being spent and more time to run the installation state. When the connection is slow and not using the cacher, such as torified connections on Whonix, the installation can occurs much faster. Adding external repositories has to be done prior to update to ensure it is also fetched. Fixes: https://github.com/ben-grande/qusal/issues/29 2024-03-18 11:29:01 -04:00			`include:`
			`- utils.tools.common.update`
feat: add TCP proxy for remote hosts Ideally, it would be a Qrexec socket service, but it doesn't handle DNS, only accepting IPs. The dev qube is now non-networked and network, especially to remote git repositories can be acquired via the proxy that is going to be installed in every netvm. 2024-06-13 12:01:08 -04:00			`- sys-net.install-proxy`
fix: remove extraneous package repository updates Updates happens multiple times, normally 2 to 3, even if we consider a state without includes. On states with multiple includes, it could easily get approximately 10 updates being ran. This behavior leads to unnecessary network bandwidth being spent and more time to run the installation state. When the connection is slow and not using the cacher, such as torified connections on Whonix, the installation can occurs much faster. Adding external repositories has to be done prior to update to ensure it is also fetched. Fixes: https://github.com/ben-grande/qusal/issues/29 2024-03-18 11:29:01 -04:00
refactor: initial commit 2023-11-13 09:33:28 -05:00			`"{{ slsdotpath }}-installed":`
			`pkg.installed:`
fix: remove extraneous package repository updates Updates happens multiple times, normally 2 to 3, even if we consider a state without includes. On states with multiple includes, it could easily get approximately 10 updates being ran. This behavior leads to unnecessary network bandwidth being spent and more time to run the installation state. When the connection is slow and not using the cacher, such as torified connections on Whonix, the installation can occurs much faster. Adding external repositories has to be done prior to update to ensure it is also fetched. Fixes: https://github.com/ben-grande/qusal/issues/29 2024-03-18 11:29:01 -04:00			`- require:`
			`- sls: utils.tools.common.update`
refactor: initial commit 2023-11-13 09:33:28 -05:00			`- install_recommends: False`
			`- skip_suggestions: True`
fix: skip YUM weak dependencies installation Fixes: https://github.com/ben-grande/qusal/issues/96 2024-08-16 08:02:53 -04:00			`- setopt: "install_weak_deps=False"`
refactor: initial commit 2023-11-13 09:33:28 -05:00			`- pkgs:`
			`- qubes-core-agent-networking`
			`- ca-certificates`
			`- iproute2`
			`- resolvconf`
			`- wireguard`
fix: sys-wireguard compatible with Qubes 4.2 2024-01-08 14:07:20 -05:00			`- unzip`
refactor: initial commit 2023-11-13 09:33:28 -05:00			`- curl`
feat: add manual page reader Ability to read the program's manual from the terminal is much better than to ask the user to search the manual page on the internet, we already trust the installed program and documentation, but we should not trust every manual page on the internet. 2024-05-28 05:00:04 -04:00			`- man-db`
refactor: initial commit 2023-11-13 09:33:28 -05:00
fix: bind wireguard configuration directory 2024-06-28 04:39:44 -04:00			`"{{ slsdotpath }}-bind-dirs":`
			`file.managed:`
			`- name: /etc/qubes-bind-dirs.d/50-{{ slsdotpath }}.conf`
			`- source: salt://{{ slsdotpath }}/files/server/qubes-bind-dirs.d/50-{{ slsdotpath }}.conf`
			`- user: root`
			`- group: root`
			`- mode: '0644'`
			`- makedirs: True`

fix: clean Wireguard rules - Remove OpenVPN code comments; - Reorganize rules for easier reading; - Server can connect without having client attached; - Systemd service for easier monitoring of wg-quick; and - Firewall also restarts wg-quick and apply new endpoint rules. 2024-06-19 09:08:03 -04:00			`"{{ slsdotpath }}-systemd-service":`
			`file.managed:`
			`- name: /usr/lib/systemd/system/wg-quick@wireguard.service.d/50_qusal.conf`
			`- source: salt://{{ slsdotpath }}/files/server/systemd/wg-quick@wireguard.service.d/50_qusal.conf`
			`- user: root`
			`- group: root`
			`- mode: '0644'`
			`- makedirs: True`

			`"{{ slsdotpath }}-enable-wg-quick@wireguard":`
			`service.enabled:`
			`- name: wg-quick@wireguard`

refactor: initial commit 2023-11-13 09:33:28 -05:00			`{% endif -%}`