2023-11-13 09:33:28 -05:00
|
|
|
# qubes-builder
|
|
|
|
|
|
|
|
Setup Qubes OS Builder V2 in Qubes OS itself.
|
|
|
|
|
|
|
|
## Table of Contents
|
|
|
|
|
|
|
|
* [Description](#description)
|
|
|
|
* [Installation](#installation)
|
|
|
|
* [Access Control](#access-control)
|
|
|
|
* [Usage](#usage)
|
2024-06-14 13:04:29 -04:00
|
|
|
* [Pulling new commits](#pulling-new-commits)
|
|
|
|
* [Add PGP public key to qubes-builder GPG home directory](#add-pgp-public-key-to-qubes-builder-gpg-home-directory)
|
2024-01-08 14:08:54 -05:00
|
|
|
* [Builder configuration](#builder-configuration)
|
2023-11-13 09:33:28 -05:00
|
|
|
|
|
|
|
## Description
|
|
|
|
|
|
|
|
Setup a Builder qube named "qubes-builder" and a disposable template for Qubes
|
|
|
|
Executor named "dvm-qubes-builder". It is possible to use any of the available
|
|
|
|
executors: docker, podman, qubes-executor.
|
|
|
|
|
|
|
|
During installation, after cloning the qubes-builderv2 repository, signatures
|
|
|
|
will be verified and the installation will fail if the signatures couldn't be
|
|
|
|
verified. Packages necessary for split operations such as split-gpg2, spit-git
|
|
|
|
and split-ssh-agent will also be installed.
|
|
|
|
|
|
|
|
## Installation
|
|
|
|
|
|
|
|
The template is based on Fedora Minimal and not Debian Minimal due to the
|
|
|
|
Qubes Executor lacking some dependencies on Debian such as
|
|
|
|
[mock](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025460). Even if the
|
|
|
|
builder qube was Debian based, the executor qube still needs to be a Fedora
|
|
|
|
template.
|
|
|
|
|
|
|
|
- Top
|
|
|
|
```sh
|
2024-02-23 10:54:35 -05:00
|
|
|
sudo qubesctl top.enable qubes-builder
|
|
|
|
sudo qubesctl --targets=tpl-qubes-builder,dvm-qubes-builder,qubes-builder state.apply
|
|
|
|
sudo qubesctl top.disable qubes-builder
|
2024-03-23 17:09:49 -04:00
|
|
|
sudo qubesctl state.apply qubes-builder.prefs
|
2023-11-13 09:33:28 -05:00
|
|
|
```
|
|
|
|
|
|
|
|
- State
|
|
|
|
<!-- pkg:begin:post-install -->
|
|
|
|
```sh
|
2024-02-23 10:54:35 -05:00
|
|
|
sudo qubesctl state.apply qubes-builder.create
|
|
|
|
sudo qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply qubes-builder.install
|
2024-03-23 17:09:49 -04:00
|
|
|
sudo qubesctl state.apply qubes-builder.prefs
|
2024-02-23 10:54:35 -05:00
|
|
|
sudo qubesctl --skip-dom0 --targets=dvm-qubes-builder state.apply qubes-builder.configure-qubes-executor
|
|
|
|
sudo qubesctl --skip-dom0 --targets=qubes-builder state.apply qubes-builder.configure
|
2023-11-13 09:33:28 -05:00
|
|
|
```
|
|
|
|
<!-- pkg:end:post-install -->
|
|
|
|
|
2024-06-22 04:30:38 -04:00
|
|
|
If you plan to write for a long time and analyze logs on the builder qube, it
|
|
|
|
is recommended to install some development goodies:
|
|
|
|
```sh
|
|
|
|
sudo qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply qubes-builder.install-dev
|
|
|
|
```
|
|
|
|
|
2024-06-25 18:18:44 -04:00
|
|
|
If you plan on building Qusal packages (Development only):
|
|
|
|
```sh
|
|
|
|
sudo qubesctl --skip-dom0 --targets=qubes-builder state.apply qubes-builder.configure-qusal
|
|
|
|
```
|
|
|
|
|
2023-11-13 09:33:28 -05:00
|
|
|
## Access Control
|
|
|
|
|
|
|
|
The policy is based on `qubes-builderv2/rpc/50-qubesbuilder.policy`.
|
2023-12-28 05:47:41 -05:00
|
|
|
Extra services added are `qubes.Gpg2`, `qusal.GitInit`, `qusal.GitFetch`,
|
2024-01-05 11:24:14 -05:00
|
|
|
`qusal.GitPush`, `qusal.SshAgent`. Necessary services are allowed to have an
|
|
|
|
unattended build.
|
2023-11-13 09:33:28 -05:00
|
|
|
|
|
|
|
## Usage
|
|
|
|
|
2024-06-14 13:04:29 -04:00
|
|
|
### Pulling new commits
|
|
|
|
|
|
|
|
The installation will clone the repository but not pull new commits. You will
|
|
|
|
need to pull new commits from time to time, their signature will be
|
|
|
|
automatically verified before merging them to your git index.
|
|
|
|
|
|
|
|
### Add PGP public key to qubes-builder GPG home directory
|
|
|
|
|
|
|
|
If you need to pull commits signed by someone with a key not deployed by
|
|
|
|
default, import their key to the GPG home directory of qubes-builder:
|
|
|
|
```sh
|
|
|
|
gpg --homedir "$HOME/.gnupg/qubes-builder" --import KEY
|
|
|
|
```
|
2024-01-08 14:08:54 -05:00
|
|
|
### Builder configuration
|
2023-11-13 09:33:28 -05:00
|
|
|
|
2023-12-28 06:26:37 -05:00
|
|
|
When using the Qubes Executor, configure the `builder.yml` `dispvm` option to
|
2023-11-13 09:33:28 -05:00
|
|
|
either `dom0` or `dvm-qubes-builder`:
|
|
|
|
```yaml
|
2024-01-08 14:08:54 -05:00
|
|
|
include:
|
|
|
|
- example-configs/desired-config.yml
|
|
|
|
|
2023-11-13 09:33:28 -05:00
|
|
|
executor:
|
|
|
|
type: qubes
|
|
|
|
options:
|
|
|
|
dispvm: "dom0"
|
|
|
|
#dispvm: "dvm-qubes-builder"
|
|
|
|
```
|
|
|
|
Setting the Disposable VM to Dom0 works because it will use the
|
|
|
|
`default_dispvm` preference of `qubes-builder`, which is `dvm-qubes-builder`.
|
2024-06-25 18:18:44 -04:00
|
|
|
|
|
|
|
### Build Qusal
|
|
|
|
|
|
|
|
**Warning**: development only.
|
|
|
|
|
|
|
|
You can easily build Qusal as a default configuration is provided.
|
|
|
|
|
|
|
|
Place only the following in `builder.yml`:
|
|
|
|
```yaml
|
|
|
|
include:
|
|
|
|
- ../qusal-builder/qusal.yml
|
|
|
|
```
|
|
|
|
|
|
|
|
To run the `sign` state, you will need to change the configuration option
|
|
|
|
`sign-key:rpm:KEY` to your key fingerprint as well as import the same key to
|
|
|
|
the default GnuPG home directory `~/.gnupg`.
|