qusal/salt/qubes-builder/README.md

# qubes-builder

Setup Qubes OS Builder V2 in Qubes OS itself.

## Table of Contents

*   [Description](#description)
*   [Installation](#installation)
*   [Access Control](#access-control)
*   [Usage](#usage)
    *   [Pulling new commits](#pulling-new-commits)
    *   [Add PGP public key to qubes-builder GPG home directory](#add-pgp-public-key-to-qubes-builder-gpg-home-directory)
    *   [Builder configuration](#builder-configuration)
    *   [Build Qusal](#build-qusal)

## Description

Setup a Builder qube named "qubes-builder" and a disposable template for Qubes
Executor named "dvm-qubes-builder". It is possible to use any of the available
executors: docker, podman, qubes-executor.

During installation, after cloning the qubes-builderv2 repository, signatures
will be verified and the installation will fail if the signatures couldn't be
verified. Packages necessary for split operations such as split-gpg2, spit-git
and split-ssh-agent will also be installed.

## Installation

The template is based on Fedora Minimal and not Debian Minimal due to the
Qubes Executor lacking some dependencies on Debian such as
[mock](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025460). Even if the
builder qube was Debian based, the executor qube still needs to be a Fedora
template.

<!-- TODO: remove after 1 month: 2024-08-4 -->
If installation fails on non existent qubes-infrastructure-mirrors directory
during the `qubes-builder.configure` state, please
[manually pull new commits](#Pulling new commits) and then run the state
again. This issue will occur to everyone that ran the same state before
`2024-07-01`, due to [submodule addition](https://github.com/QubesOS/qubes-builderv2/commit/bc6d9a9954d985d2be3ec76ce86d44fea13d345b).
Qusal maintainer decision is not to handle such issue automatically as it
can lead to data loss in case user does manual changes, the installation would
need to `reset` the user changes and to do a clean `pull` that wouldn't fail.
After you've pulled the commit including the `.gitmodules` once, future
installations won't have this issue.

*   Top:

```sh
sudo qubesctl top.enable qubes-builder
sudo qubesctl --targets=tpl-qubes-builder,dvm-qubes-builder,qubes-builder state.apply
sudo qubesctl top.disable qubes-builder
sudo qubesctl state.apply qubes-builder.prefs
```

*   State:

<!-- pkg:begin:post-install -->

```sh
sudo qubesctl state.apply qubes-builder.create
sudo qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply qubes-builder.install
sudo qubesctl state.apply qubes-builder.prefs
sudo qubesctl --skip-dom0 --targets=dvm-qubes-builder state.apply qubes-builder.configure-qubes-executor
sudo qubesctl --skip-dom0 --targets=qubes-builder state.apply qubes-builder.configure
```

<!-- pkg:end:post-install -->

If you plan to write for a long time and analyze logs on the builder qube, it
is recommended to install some development goodies:

```sh
sudo qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply qubes-builder.install-dev
```

If you plan on building Qusal packages (Development only):

```sh
sudo qubesctl --skip-dom0 --targets=qubes-builder state.apply qubes-builder.configure-qusal
```

## Access Control

The policy is based on `qubes-builderv2/rpc/50-qubesbuilder.policy`.
Extra services added are `qubes.Gpg2`, `qusal.GitInit`, `qusal.GitFetch`,
`qusal.GitPush`, `qusal.SshAgent`. Necessary services are allowed to have an
unattended build.

## Usage

### Pulling new commits

The installation will clone the repository but not pull new commits. You will
need to pull new commits from time to time, their signature will be
automatically verified before merging them to your git index.

Pull `qubes-builderv2` commits:

```sh
git pull
```

Initialize and merge submodules:

```sh
git submodule update --init
git submodule update --merge
```

### Add PGP public key to qubes-builder GPG home directory

If you need to pull commits signed by someone with a key not deployed by
default, import their key to the GPG home directory of qubes-builder:

```sh
gpg-qubes-builder --import /path/to/key
```

### Builder configuration

When using the Qubes Executor, configure the `builder.yml` `dispvm` option to
either `dom0` or `dvm-qubes-builder`:

```yaml
include:
  - example-configs/desired-config.yml

executor:
  type: qubes
  options:
    dispvm: "dom0"
    #dispvm: "dvm-qubes-builder"

gpg-client: gpg
```

Setting the Disposable VM  to Dom0 works because it will use the
`default_dispvm` preference of `qubes-builder`, which is `dvm-qubes-builder`.

Setting the `gpg-client` explicitly to enforce the use of `split-gpg2`.

### Build Qusal

**Warning**: development only.

You can easily build Qusal as a default configuration is provided.

Place only the following in `builder.yml`:

```yaml
include:
  - ../qusal-builder/qusal.yml
```

To run the `sign` state, you will need to change the configuration option
`sign-key:rpm:KEY` to your key fingerprint as well as import the same key to
the default GnuPG home directory `~/.gnupg`.
refactor: initial commit 2023-11-13 09:33:28 -05:00			`# qubes-builder`

			`Setup Qubes OS Builder V2 in Qubes OS itself.`

			`## Table of Contents`

doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00			`* [Description](#description)`
			`* [Installation](#installation)`
			`* [Access Control](#access-control)`
			`* [Usage](#usage)`
			`* [Pulling new commits](#pulling-new-commits)`
			`* [Add PGP public key to qubes-builder GPG home directory](#add-pgp-public-key-to-qubes-builder-gpg-home-directory)`
			`* [Builder configuration](#builder-configuration)`
			`* [Build Qusal](#build-qusal)`
refactor: initial commit 2023-11-13 09:33:28 -05:00
			`## Description`

			`Setup a Builder qube named "qubes-builder" and a disposable template for Qubes`
			`Executor named "dvm-qubes-builder". It is possible to use any of the available`
			`executors: docker, podman, qubes-executor.`

			`During installation, after cloning the qubes-builderv2 repository, signatures`
			`will be verified and the installation will fail if the signatures couldn't be`
			`verified. Packages necessary for split operations such as split-gpg2, spit-git`
			`and split-ssh-agent will also be installed.`

			`## Installation`

			`The template is based on Fedora Minimal and not Debian Minimal due to the`
			`Qubes Executor lacking some dependencies on Debian such as`
			`[mock](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025460). Even if the`
			`builder qube was Debian based, the executor qube still needs to be a Fedora`
			`template.`

fix: use mirrors metalink as a submodule 2024-07-04 05:24:21 -04:00			`<!-- TODO: remove after 1 month: 2024-08-4 -->`
			`If installation fails on non existent qubes-infrastructure-mirrors directory`
			during the `qubes-builder.configure` state, please
			`[manually pull new commits](#Pulling new commits) and then run the state`
			`again. This issue will occur to everyone that ran the same state before`
			`2024-07-01`, due to [submodule addition](https://github.com/QubesOS/qubes-builderv2/commit/bc6d9a9954d985d2be3ec76ce86d44fea13d345b).
			`Qusal maintainer decision is not to handle such issue automatically as it`
			`can lead to data loss in case user does manual changes, the installation would`
			need to `reset` the user changes and to do a clean `pull` that wouldn't fail.
			After you've pulled the commit including the `.gitmodules` once, future
			`installations won't have this issue.`

doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00			`* Top:`

refactor: initial commit 2023-11-13 09:33:28 -05:00			```sh
doc: prefix qubesctl with sudo Fixes: https://github.com/ben-grande/qusal/issues/20 2024-02-23 10:54:35 -05:00			`sudo qubesctl top.enable qubes-builder`
			`sudo qubesctl --targets=tpl-qubes-builder,dvm-qubes-builder,qubes-builder state.apply`
			`sudo qubesctl top.disable qubes-builder`
fix: install salt depends in fedora-39-minimal Fixes: https://github.com/ben-grande/qusal/issues/38 2024-03-23 17:09:49 -04:00			`sudo qubesctl state.apply qubes-builder.prefs`
refactor: initial commit 2023-11-13 09:33:28 -05:00			```

doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00			`* State:`

refactor: initial commit 2023-11-13 09:33:28 -05:00			`<!-- pkg:begin:post-install -->`
doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00
refactor: initial commit 2023-11-13 09:33:28 -05:00			```sh
doc: prefix qubesctl with sudo Fixes: https://github.com/ben-grande/qusal/issues/20 2024-02-23 10:54:35 -05:00			`sudo qubesctl state.apply qubes-builder.create`
			`sudo qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply qubes-builder.install`
fix: install salt depends in fedora-39-minimal Fixes: https://github.com/ben-grande/qusal/issues/38 2024-03-23 17:09:49 -04:00			`sudo qubesctl state.apply qubes-builder.prefs`
doc: prefix qubesctl with sudo Fixes: https://github.com/ben-grande/qusal/issues/20 2024-02-23 10:54:35 -05:00			`sudo qubesctl --skip-dom0 --targets=dvm-qubes-builder state.apply qubes-builder.configure-qubes-executor`
			`sudo qubesctl --skip-dom0 --targets=qubes-builder state.apply qubes-builder.configure`
refactor: initial commit 2023-11-13 09:33:28 -05:00			```
doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00
refactor: initial commit 2023-11-13 09:33:28 -05:00			`<!-- pkg:end:post-install -->`

feat: add development goodies to Qubes Builder 2024-06-22 04:30:38 -04:00			`If you plan to write for a long time and analyze logs on the builder qube, it`
			`is recommended to install some development goodies:`
doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00
feat: add development goodies to Qubes Builder 2024-06-22 04:30:38 -04:00			```sh
			`sudo qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply qubes-builder.install-dev`
			```

feat: deploy Qusal Builder configuration For: https://github.com/ben-grande/qusal/issues/59 2024-06-25 18:18:44 -04:00			`If you plan on building Qusal packages (Development only):`
doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00
feat: deploy Qusal Builder configuration For: https://github.com/ben-grande/qusal/issues/59 2024-06-25 18:18:44 -04:00			```sh
			`sudo qubesctl --skip-dom0 --targets=qubes-builder state.apply qubes-builder.configure-qusal`
			```

refactor: initial commit 2023-11-13 09:33:28 -05:00			`## Access Control`

			The policy is based on `qubes-builderv2/rpc/50-qubesbuilder.policy`.
fix: strict split-gpg2 service Split-gpg V1 allowed for querying public keys, but as split-gpg2 is running as an agent, public keys are not queried. Allowing connection to the server to query only public parts of the key exposes the server more than needed to the client. All clients now have to hold the public key they need locally in order to do GPG operations. 2023-12-28 05:47:41 -05:00			Extra services added are `qubes.Gpg2`, `qusal.GitInit`, `qusal.GitFetch`,
feat: unattended qubes-builder build Split-gpg2 allows to isolate GPG home directories. In the future, enforcing this setting via drop-in configuration would be safer, depends on https://github.com/QubesOS/qubes-issues/issues/8792. 2024-01-05 11:24:14 -05:00			`qusal.GitPush`, `qusal.SshAgent`. Necessary services are allowed to have an
			`unattended build.`
refactor: initial commit 2023-11-13 09:33:28 -05:00
			`## Usage`

fix: signature check breaks qubes-builder update The state module git.latest does not allow setting environment variable for us to set the correct GNUPGHOME. The module environ.set does not work as we call git as the normal user and not as root, but may still be the problem of git.latest not respecting environment variables. The problem with always pulling new commits is that it may conflict with the current work the user has done on the repository locally. It will also not work in case the last commit is not signed by a trusted key deployed by the formula, in this case, you should add the key manually to verify the commit. Setting the gpg.program only for the required repositories solves the aforementioned problem and also enhances usability by removing extra commands that the user needs to learn and remember. Fixes: https://github.com/ben-grande/qusal/issues/58 2024-06-14 13:04:29 -04:00			`### Pulling new commits`

			`The installation will clone the repository but not pull new commits. You will`
			`need to pull new commits from time to time, their signature will be`
			`automatically verified before merging them to your git index.`

fix: use mirrors metalink as a submodule 2024-07-04 05:24:21 -04:00			Pull `qubes-builderv2` commits:
doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00
fix: use mirrors metalink as a submodule 2024-07-04 05:24:21 -04:00			```sh
			`git pull`
			```

			`Initialize and merge submodules:`
doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00
			```sh
fix: use mirrors metalink as a submodule 2024-07-04 05:24:21 -04:00			`git submodule update --init`
			`git submodule update --merge`
			```

fix: signature check breaks qubes-builder update The state module git.latest does not allow setting environment variable for us to set the correct GNUPGHOME. The module environ.set does not work as we call git as the normal user and not as root, but may still be the problem of git.latest not respecting environment variables. The problem with always pulling new commits is that it may conflict with the current work the user has done on the repository locally. It will also not work in case the last commit is not signed by a trusted key deployed by the formula, in this case, you should add the key manually to verify the commit. Setting the gpg.program only for the required repositories solves the aforementioned problem and also enhances usability by removing extra commands that the user needs to learn and remember. Fixes: https://github.com/ben-grande/qusal/issues/58 2024-06-14 13:04:29 -04:00			`### Add PGP public key to qubes-builder GPG home directory`

			`If you need to pull commits signed by someone with a key not deployed by`
			`default, import their key to the GPG home directory of qubes-builder:`
doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00
fix: signature check breaks qubes-builder update The state module git.latest does not allow setting environment variable for us to set the correct GNUPGHOME. The module environ.set does not work as we call git as the normal user and not as root, but may still be the problem of git.latest not respecting environment variables. The problem with always pulling new commits is that it may conflict with the current work the user has done on the repository locally. It will also not work in case the last commit is not signed by a trusted key deployed by the formula, in this case, you should add the key manually to verify the commit. Setting the gpg.program only for the required repositories solves the aforementioned problem and also enhances usability by removing extra commands that the user needs to learn and remember. Fixes: https://github.com/ben-grande/qusal/issues/58 2024-06-14 13:04:29 -04:00			```sh
fix: use mirrors metalink as a submodule 2024-07-04 05:24:21 -04:00			`gpg-qubes-builder --import /path/to/key`
fix: signature check breaks qubes-builder update The state module git.latest does not allow setting environment variable for us to set the correct GNUPGHOME. The module environ.set does not work as we call git as the normal user and not as root, but may still be the problem of git.latest not respecting environment variables. The problem with always pulling new commits is that it may conflict with the current work the user has done on the repository locally. It will also not work in case the last commit is not signed by a trusted key deployed by the formula, in this case, you should add the key manually to verify the commit. Setting the gpg.program only for the required repositories solves the aforementioned problem and also enhances usability by removing extra commands that the user needs to learn and remember. Fixes: https://github.com/ben-grande/qusal/issues/58 2024-06-14 13:04:29 -04:00			```
fix: use mirrors metalink as a submodule 2024-07-04 05:24:21 -04:00
doc: cleaner usage sections for qubes-builder 2024-01-08 14:08:54 -05:00			`### Builder configuration`
refactor: initial commit 2023-11-13 09:33:28 -05:00
doc: better usage of split-gpg2 in qubes-builder 2023-12-28 06:26:37 -05:00			When using the Qubes Executor, configure the `builder.yml` `dispvm` option to
refactor: initial commit 2023-11-13 09:33:28 -05:00			either `dom0` or `dvm-qubes-builder`:
doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00
refactor: initial commit 2023-11-13 09:33:28 -05:00			```yaml
doc: cleaner usage sections for qubes-builder 2024-01-08 14:08:54 -05:00			`include:`
			`- example-configs/desired-config.yml`

refactor: initial commit 2023-11-13 09:33:28 -05:00			`executor:`
			`type: qubes`
			`options:`
			`dispvm: "dom0"`
			`#dispvm: "dvm-qubes-builder"`
fix: use mirrors metalink as a submodule 2024-07-04 05:24:21 -04:00
			`gpg-client: gpg`
refactor: initial commit 2023-11-13 09:33:28 -05:00			```
doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00
refactor: initial commit 2023-11-13 09:33:28 -05:00			`Setting the Disposable VM to Dom0 works because it will use the`
			`default_dispvm` preference of `qubes-builder`, which is `dvm-qubes-builder`.
feat: deploy Qusal Builder configuration For: https://github.com/ben-grande/qusal/issues/59 2024-06-25 18:18:44 -04:00
fix: use mirrors metalink as a submodule 2024-07-04 05:24:21 -04:00			Setting the `gpg-client` explicitly to enforce the use of `split-gpg2`.

feat: deploy Qusal Builder configuration For: https://github.com/ben-grande/qusal/issues/59 2024-06-25 18:18:44 -04:00			`### Build Qusal`

			`Warning: development only.`

			`You can easily build Qusal as a default configuration is provided.`

			Place only the following in `builder.yml`:
doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00
feat: deploy Qusal Builder configuration For: https://github.com/ben-grande/qusal/issues/59 2024-06-25 18:18:44 -04:00			```yaml
			`include:`
			`- ../qusal-builder/qusal.yml`
			```

			To run the `sign` state, you will need to change the configuration option
			`sign-key:rpm:KEY` to your key fingerprint as well as import the same key to
			the default GnuPG home directory `~/.gnupg`.