style: limit line length per file extension

Editorconfig can only act based on file extension and path, not
attributes, it remains a mean only for multiple collaborators to use the
same configuration on their editor. When it is too restrictive, such as
not considering the file syntax, use a lint tool for the specific file
type instead of trusting editorconfig. Changes were made to increase
readability.

.editorconfig

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 
@@ -16,8 +16,24 @@ end_of_line = lf
 indent_style = tab
 indent_size = 8
 
-[*.{md,sh,yaml,yml,toml,json}]
+[*.{md,toml,json}]
 indent_size = 2
 
-[*.{py}]
+[*.{yaml,yml}]
+indent_size = 2
+max_line_length = 120
+
+[*.{sls,top,jinja}]
+max_line_length = 160
+
+[*.py]
 indent_size = 4
+max_line_length = 79
+
+[{*.{sh,bash,ksh,zsh,lessfilter,xinitrc,Xinitrc,xsession,Xsession,xsessionrc,Xsessionrc,xprofile,Xprofile},**/.config/{sh,bash,ksh,zsh}/**,**/git/shell/**,**/qubes-bind-dirs.d/**,**/lib-qubes-bind-dirs.d/**,**/rc.local.d/**,**/dom0/files/autostartart-scripts/**,**/git/template/hooks/**,**/git/files/client/git-core/**}]
+indent_size = 2
+## Impossible to be sure via file extension if it is a shell file.
+# /bin/.*
+# /rpc/.*
+# /network-hooks\.d/.*
+# /qubes-firewall\.d/.*

.github/workflows/reject-pr.yaml

@@ -52,5 +52,9 @@ jobs:
         uses: peter-evans/close-pull@v3
         with:
           # yamllint disable-line rule:line-length
-          comment: 'Automatically closing this PR due to submitter not reading the contribution guidelines and using GitHub WebUI to commit. Please fix the issues and open a new PR after you have read the contribution guidelines.'
+          comment: >
+            Automatically closing this PR due to submitter not reading the
+            contribution guidelines and using GitHub WebUI to commit. Please
+            fix the issues and open a new PR after you have read the
+            contribution guidelines.
           delete-branch: false

.pre-commit-config.yaml

@@ -28,9 +28,15 @@ repos:
         language: script
         pass_filenames: true
         # yamllint disable rule:line-length
-        files: (\.sh|/rc\.local\.d/.*\.rc|/bin/.*|/rpc/.*|/network-hooks\.d/.*|/qubes-firewall\.d/.*|/(lib-)?qubes-bind-dirs\.d/.*|/\.config/(sh|bash|zsh|less|x11|git/shell|git/template/hooks)/.*|/autostart-scripts/.*|/qvm-copy-dotfiles|/git-core/.*)
+        files: >-
+          (\.sh|/rc\.local\.d/.*\.rc|/bin/.*|/rpc/.*|/network-hooks\.d/.*|
+          /qubes-firewall\.d/.*|/(lib-)?qubes-bind-dirs\.d/.*|
+          /\.config/(sh|bash|zsh|less|x11|git/shell|git/template/hooks)/.*|
+          /autostart-scripts/.*|/qvm-copy-dotfiles|/git-core/.*)
         # yamllint disable rule:line-length
-        exclude: \.(policy|asc|txt|top|sls|jinja|toml|vim|py|muttrc|nft|md|spec|list|sources|repo|socket|timer|service|y(a)?ml)$
+        exclude: >-
+          \.(policy|asc|txt|top|sls|jinja|toml|vim|py|muttrc|nft|md|spec|
+          list|sources|repo|socket|timer|service|y(a)?ml)$
         description: Lint Shellscripts
 
       - id: markdown-lint
@@ -81,7 +87,9 @@ repos:
         args: [test]
         pass_filenames: true
         # yamllint disable rule:line-length
-        files: ^(rpm_spec/template/template.spec|salt/.*|scripts/spec-(get|gen)\.sh)$
+        files: >-
+          ^(rpm_spec/template/template.spec|salt/.*|
+          scripts/spec-(get|gen)\.sh)$
         description: Check if RPM SPEC files are up to date
 
       - id: license-lint

salt/browser/create.sls

@@ -20,8 +20,10 @@ prefs:
 - maxmem: 2000
 features:
 - set:
+  # editorconfig-checker-disable
   - default-menu-items: "qusal-mullvad-browser.desktop org.mozilla.firefox.desktop firefox.desktop firefox-esr.desktop chromium.desktop google-chrome.desktop qubes-run-terminal.desktop qubes-open-file-manager.desktop qubes-start.desktop" # noqa: 204
   - menu-items: "qusal-mullvad-browser.desktop org.mozilla.firefox.desktop firefox.desktop firefox-esr.desktop chromium.desktop google-chrome.desktop qubes-run-terminal.desktop qubes-open-file-manager.desktop qubes-start.desktop" # noqa: 204
+  # editorconfig-checker-enable
 - disable:
   - service.tracker
   - service.evolution-data-server
@@ -52,6 +54,8 @@ features:
   - service.tracker
   - service.evolution-data-server
 - set:
+  # editorconfig-checker-disable
   - menu-items: "qusal-mullvad-browser.desktop org.mozilla.firefox.desktop firefox.desktop firefox-esr.desktop chromium.desktop google-chrome.desktop qubes-run-terminal.desktop qubes-open-file-manager.desktop qubes-start.desktop" # noqa: 204
+  # editorconfig-checker-enable
 {%- endload %}
 {{ load(defaults) }}

salt/dom0/files/bin/qubes-kde-win-rules

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -25,9 +25,11 @@ writeconf(){
   key="$2"
   value="$3"
 
-  group_id="$(grep -B1 -- "^Description=$group$" "$file" | head -1 | tr -d "[" | tr -d "]")"
+  group_id="$(grep -B1 -- "^Description=$group$" "$file" | head -1 |
+    tr -d "[" | tr -d "]")"
   if test -z "${group_id}"; then
-    highest_id="$(grep -- "\[[0-9]\+\]" "$file" | tr -d "[" | tr -d "]" | sort | tail -1)"
+    highest_id="$(grep -- "\[[0-9]\+\]" "$file" | tr -d "[" | tr -d "]" |
+      sort | tail -1)"
     if test -n "${highest_id}"; then
       group_id="$((highest_id+1))"
     else
@@ -54,7 +56,8 @@ writeconf_group(){
   fi
 
   ## Regex: https://doc.qt.io/qt-6/qregularexpression.html
-  writeconf "$chosen_group" title "^\\[(disp-|dvm-)?$chosen_group(-\\S+)?\\] .*"
+  writeconf "$chosen_group" title \
+    "^\\[(disp-|dvm-)?$chosen_group(-\\S+)?\\] .*"
   writeconf "$chosen_group" titlematch 3
   writeconf "$chosen_group" wmclass "$chosen_group"
   writeconf "$chosen_group" wmclasscomplete false

salt/dom0/files/bin/qvm-backup-find-last

@@ -9,7 +9,8 @@ set -eu
 list_backups(){
   ## Hide stderr to hide remote login connection messages (banners etc).
   # shellcheck disable=SC2086
-  ${qrun_cmd} "${qube}" -- "${cmd} ${find_cmd} 2>/dev/null"
+  qvm-run --filter-escape-chars --no-color-output --no-color-stderr \
+    --pass-io "${qube}" -- "${cmd} ${find_cmd} 2>/dev/null"
 }
 
 list_last_backup(){
@@ -35,7 +36,6 @@ cmd="${3-}"
 
 find_pattern="qubes-backup-*"
 find_cmd="find \"${path}\" -maxdepth 1 -type f -name \"${find_pattern}\""
-qrun_cmd="qvm-run --filter-escape-chars --no-color-output --no-color-stderr --pass-io"
 
 last_backup="$(list_last_backup)"
 if test -z "${last_backup}"; then

salt/dom0/files/bin/qvm-pci-regain

@@ -20,7 +20,8 @@ set -eu
 usage(){
   echo "Usage: ${0##*/} --i-like-danger <DEVICE>"
   echo "Example: ${0##*/} --i-like-danger 0000:00:1b.0"
-  echo "Warning: It is strongly discouraged to reattach PCI devices to dom0, especially if they don't support resetting!"
+  echo "Warning: Strongly discouraged to reattach PCI devices to dom0"
+  echo "Warning:  especially if it doesn't support resetting!"
   exit 1
 }
 

salt/dom0/files/bin/qvm-port-forward

@@ -72,7 +72,10 @@ get_rule_handle(){
   qube="${1}"
   chain="${2}"
   rule="${3}"
-  run_qube "${qube}" "nft --handle --stateless list chain ip qubes ${chain} | tr -d '\"' | grep '^\s\+${rule} # handle ' | awk '{print \$NF}' | tr '\n' ' '" 2>/dev/null
+  run_qube "${qube}" -- \
+    "nft --handle --stateless list chain ip qubes ${chain} |
+    tr -d '\"' | grep '^\s\+${rule} # handle ' | awk '{print \$NF}' |
+    tr '\n' ' '" 2>/dev/null
 }
 
 delete_rule_handle(){
@@ -124,10 +127,15 @@ forward() {
   fi
 
   dnat_chain="custom-pf-${to_ip_escaped}"
-  dnat_rule="iifname ${dev} ip saddr ${lan_ip} ${proto} dport ${port} ct state established,related,new counter dnat to ${to_ip}"
+  dnat_rule="iifname ${dev} ip saddr ${lan_ip} ${proto} dport ${port} ct"
+  dnat_rule="${dnat_rule} state established,related,new counter dnat to"
+  dnat_rule="${dnat_rule} ${to_ip}"
   forward_chain="custom-forward"
-  forward_rule="iifname ${dev} ip saddr ${lan_ip} ip daddr ${to_ip} ${proto} dport ${port} ct state established,related,new counter accept"
-  full_rule="nft 'add chain ip qubes ${dnat_chain} { type nat hook prerouting priority filter +1; policy accept; }
+  forward_rule="iifname ${dev} ip saddr ${lan_ip} ip daddr ${to_ip} ${proto}"
+  forward_rule="${forward_rule} dport ${port} ct state"
+  forward_rule="${forward_rule} established,related,new counter accept"
+  dnat_policy="type nat hook prerouting priority filter +1; policy accept;"
+  full_rule="nft 'add chain ip qubes ${dnat_chain} { ${dnat_policy}
 add rule ip qubes ${dnat_chain} ${dnat_rule}
 add rule ip qubes ${forward_chain} ${forward_rule}'"
 
@@ -137,7 +145,8 @@ add rule ip qubes ${forward_chain} ${forward_rule}'"
     echo "info: ${from_qube}: deleting rules" >&2
     run_qube "${from_qube}" "rm -f ${hook}"
   else
-    echo "info: ${from_qube}: adding forward rule dev ${dev} saddr ${lan_ip} daddr ${to_ip}" >&2
+    msg="adding forward rule dev ${dev} saddr ${lan_ip} daddr ${to_ip}"
+    echo "info: ${from_qube}: ${msg}" >&2
     run_qube "${from_qube}" "${full_rule}"
 
     if test "${persistent}" = "1"; then
@@ -149,7 +158,9 @@ add rule ip qubes ${forward_chain} ${forward_rule}'"
 get_handle(){
   chain=\\\${1}
   rule=\\\${2}
-  nft --handle --stateless list chain ip qubes \\\${chain} | tr -d '\\\"' | grep '^\\\s\\\+\\\${rule} \\# handle ' | awk '{print \\\$NF}' | tr \\\"\\\n\\\" \\\" \\\"
+  nft --handle --stateless list chain ip qubes \\\${chain} | \\\
+    tr -d '\\\"' | grep '^\\\s\\\+\\\${rule} \\# handle ' | \\\
+    awk '{print \\\$NF}' | tr \\\"\\\n\\\" \\\" \\\"
 }
 
 forward_handle=\\\$(get_handle ${forward_chain} \\\"${forward_rule}\\\")
@@ -169,7 +180,8 @@ fi
 ${full_rule}"
 
       create_net_dir "${from_qube}"
-      run_qube "${from_qube}" "echo \"${full_rule}\" | tee \"${hook}\" >/dev/null"
+      run_qube "${from_qube}" \
+        "echo \"${full_rule}\" | tee \"${hook}\" >/dev/null"
       run_qube "${from_qube}" "chmod +x ${hook}"
     fi
   fi
@@ -181,7 +193,8 @@ input() {
   hook="${hook_prefix}${to_ip}-${proto}-${port}.sh"
   create_net_dir "${qube}"
 
-  custom_input_rule="${proto} dport ${port} ip daddr ${to_ip} ct state new counter accept"
+  custom_input_rule="${proto} dport ${port} ip daddr ${to_ip} ct state new"
+  custom_input_rule="${custom_input_rule} counter accept"
   input_rule="nft add rule ip qubes custom-input ${custom_input_rule}"
 
   delete_rule "${qube}" "custom-input" "${custom_input_rule}"
@@ -196,7 +209,9 @@ input() {
 get_handle(){
   chain=\\\${1}
   rule=\\\${2}
-  nft --handle --stateless list chain ip qubes \\\${chain} | tr -d '\\\"' | grep '^\\\s\\\+\\\${rule} \\# handle ' | awk '{print \\\$NF}' | tr \\\"\\\n\\\" \\\" \\\"
+  nft --handle --stateless list chain ip qubes \\\${chain} | \\\
+    tr -d '\\\"' | grep '^\\\s\\\+\\\${rule} \\# handle ' | \\\
+    awk '{print \\\$NF}' | tr \\\"\\\n\\\" \\\" \\\"
 }
 
 input_handle=\\\$(get_handle custom-input \\\"${custom_input_rule}\\\")
@@ -244,7 +259,7 @@ get_lan(){
 test_qvm_run(){
   qube="${1}"
   if ! run_qube "${qube}" echo "Test QUBESRPC" >/dev/null 2>&1; then
-    echo "error: ${qube}: service qubes.VMShell failed, use a different qube" >&2
+    echo "error: ${qube}: RPC qubes.VMShell failed, use a different qube" >&2
     exit 1
   fi
 }
@@ -267,7 +282,9 @@ recurse_netvms() {
 }
 
 usage() {
-  echo "Usage: ${0##*/} --action ACTION --qube QUBE --port PORT --proto PROTO [--persistent]
+  echo "Usage: ${0##*/} OPTIONS
+Option syntax:
+  --action ACTION --qube QUBE --port PORT --proto PROTO [--persistent]
 Options:
   -a, --action ACTION        add or delete a rule (add, del)
   -q, --qube QUBE            qube name which holds the service to be exposed
@@ -280,7 +297,7 @@ Example:
   ${0##*/} --action del --qube work --port 22 --proto tcp
   ${0##*/} --action del --qube work --port 444 --proto udp
 Note: Defaults to temporary rules
-Warn: Use of '--persistent' with disposable netvm saves the rule in the disposable template" >&2
+Warn: Persistent rules of disposable netvm are saved to its template" >&2
   exit 1
 }
 
@@ -322,7 +339,9 @@ hook_dir="/rw/config/network-hooks.d"
 hook_prefix="${hook_dir}/90-port-forward-"
 persistent=""
 
-if ! OPTS=$(getopt -o h,a:q:p:n:s --long help,action:,qube:,port:,proto:,persistent -n "${0}" -- "${@}"); then
+if ! OPTS=$(getopt -o h,a:q:p:n:s \
+  --long help,action:,qube:,port:,proto:,persistent -n "${0}" -- "${@}")
+then
   echo "An error occurred while parsing options." >&2
   exit 1
 fi

salt/dom0/files/bin/qvm-screenshot

@@ -69,7 +69,8 @@ mkdir -p "${guivm_pictures_dir}" || exit 1
 
 current_date="$(date +"%Y-%m-%d-%H%M%S")"
 screenshot_basename="${current_date}.png"
-screenshot_file="${guivm_pictures_dir}/${screenshot_basename}"
+screenshot_file="${guivm_pictures_dir%*/}/${screenshot_basename}"
+qube_screenshot_file="${qube_pictures_dir}/${screenshot_basename}"
 screenshot_type_text=""
 screenshot_action_text=""
 screenshot_action_supplied=""
@@ -179,7 +180,8 @@ else
     screenshot_cmd="xfce4-screenshooter"
   fi
   if test -z "${screenshot_cmd}"; then
-    msg="screenshot programs not found: spectacle xfce4-screenshooter scrot maim"
+    msg="screenshot programs not found"
+    msg="${msg}: spectacle xfce4-screenshooter scrot maim"
     echo "[ERROR] ${msg}"
     case "${dialog_cmd}" in
       zenity) zenity --info --text "${msg}";;
@@ -217,7 +219,7 @@ case "${screenshot_type_text}" in
   *) echo "[ERROR] mode not selected"; exit 1;;
 esac
 
-if ! test -f "${guivm_pictures_dir}/${screenshot_basename}"; then
+if ! test -f "${screenshot_file}"; then
   msg="Screenshot was not saved in GuiVM"
   echo "[ERROR] ${msg}"
   case "${dialog_cmd}" in
@@ -228,7 +230,7 @@ if ! test -f "${guivm_pictures_dir}/${screenshot_basename}"; then
 fi
 
 if test "${screenshot_action_supplied}" != "1"; then
-  dialog_title="Saved to ${screenshot_basename}. What do you want to do with the screenshot?"
+  dialog_title="Saved to ${screenshot_file}. What do you want to do with it?"
   case "${dialog_cmd}" in
     zenity)
       screenshot_action_text="$(zenity --list --width=280 --height=210 \
@@ -314,10 +316,11 @@ if ! qvm-check -- "${qube}" >/dev/null 2>&1; then
 fi
 
 qvm-run "${qube}" -- "mkdir -p \"${qube_pictures_dir}\""
-qvm-run --pass-io "${qube}" -- "cat > \"${qube_pictures_dir}/${screenshot_basename}\"" < "${guivm_pictures_dir}/${screenshot_basename}"
+qvm-run --pass-io "${qube}" -- "cat > \"${qube_screenshot_file}\"" \
+  < "${screenshot_file}"
 
 if test ${file_move} = "1"; then
-  rm -f "${guivm_pictures_dir}/${screenshot_basename}"
+  rm -f "${screenshot_file}"
 fi
 
 if test "${file_manager}" = "1"; then

salt/dom0/files/bin/qvm-terminal

@@ -35,13 +35,13 @@ case "${1-}" in
     ## Try to run on focused window, if Dom0 is focused, it will prompt you to
     ## select a qube window.
     id="$(xdotool getwindowfocus)"
-    qube="$(xprop -id "${id}" -notype _QUBES_VMNAME | awk -F '"' '{print $2}')"
+    qube="$(xprop -id "${id}" -notype _QUBES_VMNAME | awk -F'"' '{print $2}')"
     if test -n "${qube}"; then
       exec qvm-run --service -- "${qube}" "qubes.StartApp+${service}"
     fi
     echo "Select a qube window ..."
     id="$(xdotool selectwindow)"
-    qube="$(xprop -id "${id}" -notype _QUBES_VMNAME | awk -F '"' '{print $2}')"
+    qube="$(xprop -id "${id}" -notype _QUBES_VMNAME | awk -F'"' '{print $2}')"
     if test -n "${qube}"; then
       qvm-run --service -- "${qube}" "qubes.StartApp+${service}"
     fi

salt/dotfiles

@@ -1 +1 @@
-Subproject commit a8129e053a38dc4c69b2010e5202c1632e67a69d
+Subproject commit 024e9c469de634181ec77eb52420f25339f4f01e

salt/fedora-minimal/files/admin/bin/salt-patch.sh

@@ -11,6 +11,7 @@
 set -eu
 
 qube="${1}"
+dnf_min_install="dnf -q install --refresh -y --setopt=install_weak_deps=False"
+
 qvm-run --user=root --pass-io --filter-escape-chars --no-color-output \
-  --no-color-stderr "${qube}" -- \
-  "dnf --quiet install --refresh --assumeyes --setopt=install_weak_deps=False python3-urllib3"
+  --no-color-stderr "${qube}" -- "${dnf_min_install} python3-urllib3"

salt/reader/create.sls

@@ -48,8 +48,10 @@ features:
 - enable:
   - appmenus-dispvm
 - set:
+  # editorconfig-checker-disable
   - default-menu-items: "qusal-mullvad-browser.desktop org.mozilla.firefox.desktop firefox.desktop firefox-esr.desktop chromium.desktop google-chrome.desktop qubes-run-terminal.desktop qubes-start.desktop libreoffice-base.desktop libreoffice-calc.desktop libreoffice-draw.desktop libreoffice-impress.desktop libreoffice-math.desktop libreoffice-startcenter.desktop libreoffice-writer.desktop org.gnome.Evince.desktop qubes-open-file-manager.desktop" # noqa: 204
   - menu-items: "qusal-mullvad-browser.desktop org.mozilla.firefox.desktop firefox.desktop firefox-esr.desktop chromium.desktop google-chrome.desktop qubes-run-terminal.desktop qubes-start.desktop libreoffice-base.desktop libreoffice-calc.desktop libreoffice-draw.desktop libreoffice-impress.desktop libreoffice-math.desktop libreoffice-startcenter.desktop libreoffice-writer.desktop org.gnome.Evince.desktop qubes-open-file-manager.desktop" # noqa: 204
+  # editorconfig-checker-enable
 {%- endload %}
 {{ load(defaults) }}
 

salt/sys-bitcoin/files/server/bin/bitcoin-rpcwhitelist-cookie

@@ -8,7 +8,8 @@ set -eu
 conf="${HOME}/.bitcoin/conf.d/cookie.conf"
 
 if ! systemctl is-active bitcoind >/dev/null 2>&1; then
-  echo "systemd service 'bitcoind' is not active, remote RPC cannot add crendtials" >&2
+  echo "systemd service 'bitcoind' is inactive" >&2
+  echo "remote RPC can't add crendetials" >&2
   exit 1
 fi
 

salt/sys-bitcoin/files/server/bin/bitcoin-whitepaper

@@ -25,7 +25,7 @@ check_installed(){
       missing_programs=1
     fi
   done
-  if test "${missing_programs}"; then
+  if test "${missing_programs}" = "1"; then
     exit 1
   fi
 }
@@ -45,7 +45,10 @@ getblock(){
   check_installed bitcoin-cli xxd
   bitcoin-cli getblock "${block_hash}" 0 \
     | tail -c+92167 \
-    | for ((o=0;o<946;++o)); do read -rN420 x; echo -n "${x::130}${x:132:130}${x:264:130}" ; done \
+    | for ((o=0;o<946;++o)); do \
+        read -rN420 x; \
+        echo -n "${x::130}${x:132:130}${x:264:130}"; \
+      done \
     | xxd -r -p \
     | tail -c+9 \
     | head -c184292 \
@@ -77,15 +80,15 @@ gettxout(){
 }
 
 usage(){
-  echo "Usage: ${0##*/} getblock|getrawtransaction|gettxtout [DIR]"
-  echo "Note: gettxtout works with pruned node"
+  echo "Usage: ${0##*/} getblock|getrawtransaction|gettxout [DIR]"
+  echo "Note: gettxout works with pruned node"
   echo "Note: DIR defaults to \$HOME"
   exit 1
 }
 
 case "${1:-}" in
-  "getblock"|"getrawtransaction"|"gettxtout")
-    test -z "${2}" || dir="${2}"
+  "getblock"|"getrawtransaction"|"gettxout")
+    test -z "${2-}" || dir="${2}"
     validate_dir "${dir}"
     output_file="${dir}/${file}"
     "${1}"

salt/sys-bitcoin/files/server/rpc/qusal.BitcoinAuthGet

@@ -14,7 +14,8 @@ bitcoin_pass="/home/user/.bitcoin/rpcclient.pass"
 user="${QREXEC_REMOTE_DOMAIN}"
 
 if ! systemctl is-active bitcoind >/dev/null 2>&1; then
-  echo "systemd service 'bitcoind' is not active, cannot add credentials with remote RPC" >&2
+  echo "systemd service 'bitcoind' is not active" >&2
+  echo "cannot add credentials with remote RPC" >&2
   exit 1
 fi
 

salt/sys-cacher/files/admin/tag.py

@@ -10,7 +10,7 @@ import argparse
 import qubesadmin  # pylint: disable=import-error
 import qubesadmin.vm  # pylint: disable=import-error
 
-def get_cacher_tagged_qubes(qubes, wanted_dist, extraneous=False):
+def get_clients(qubes, wanted_dist, extraneous=False):
     """Get qubes tagged for ACNG"""
     domains = []
     for qube in qubes.domains:  # pylint: disable=invalid-name
@@ -51,8 +51,7 @@ def main():  # pylint: disable=missing-function-docstring
 
     wanted_dist = ["debian", "fedora", "arch", "ubuntu", "kicksecure"]
     qubes = qubesadmin.Qubes()
-    domains = get_cacher_tagged_qubes(qubes, wanted_dist,
-                                      extraneous=args.extraneous)
+    domains = get_clients(qubes, wanted_dist, extraneous=args.extraneous)
     print("\n".join(domains))
 
 

salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc

@@ -4,6 +4,7 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-cp -r /rw/config/systemd/qusal-acng-browser-forwarder* /usr/lib/systemd/system/
+cp -r /rw/config/systemd/qusal-acng-browser-forwarder* \
+  /usr/lib/systemd/system/
 systemctl daemon-reload
 systemctl --no-block restart qusal-acng-browser-forwarder.socket

salt/sys-cacher/files/client/bin/apt-cacher-ng-repo

@@ -30,23 +30,27 @@ set_proxy_marker(){
 
   if ! grep -q "^${marker_begin}$" "${proxy_file}"; then
     if grep -q "^${marker_end}$" "${proxy_file}"; then
-      echo "Error: found marker ${marker_end_text} but not ${marker_begin_text} in ${proxy_file}" >&2
-      echo "Fix the file by either removing both markers or adding missing ones and retry" >&2
+      msg="found marker ${marker_end_text} but not ${marker_begin_text}"
+      msg="${msg} in ${proxy_file}."
+      msg="${msg} fix it by removing markers or adding missing ones and retry"
+      echo "Error: ${msg}" >&2
       exit 1
     fi
     cp "${proxy_file}" "${proxy_file}.qubes-orig"
     echo "${marker_begin}" | tee -a "${proxy_file}" >/dev/null
     echo "${marker_end}" | tee -a "${proxy_file}" >/dev/null
   elif ! grep -q "^${marker_end}$" "${proxy_file}"; then
-    echo "Error: found marker ${marker_begin_text} but not ${marker_end_text} in ${proxy_file}" >&2
-    echo "Fix the file by either removing both markers or adding missing ones and retry" >&2
+    msg="found marker ${marker_begin_text} but not ${marker_end_text}"
+    msg="${msg} in ${proxy_file}."
+    msg="${msg} fix it by removing markers or adding missing ones and retry"
+    echo "error: ${msg}" >&2
     exit 1
   fi
 
   proxy_tmp_file="$(mktemp)"
   cat >"${proxy_tmp_file}" <<EOF
-# The text between ${marker_begin_text} and ${marker_end_text} is automatically
-# generated by $0. All changes here will be overridden.
+# The text between ${marker_begin_text} and ${marker_end_text} is
+# automatically generated by $0. All changes here will be overridden.
 # You can override options after the ${marker_end_text}.
 ${proxy_options}
 EOF
@@ -76,7 +80,7 @@ check_netvm_cacher(){
   if test -f /var/run/qubes-service/netvm-cacher; then
     proxy_host="$(qubesdb-read /qubes-gateway)"
     if test -z "${proxy_host}"; then
-      echo "Error: service netvm-cacher enabled but netvm IP was not found" >&2
+      echo "Error: service netvm-cacher enabled but netvm IP not found" >&2
       return 1
     fi
   fi
@@ -120,9 +124,14 @@ EOF
 
     case "${action}" in
       install)
+        baseurl_search="baseurl\s*=\s*https://"
+        baseurl_repl="baseurl=http://HTTPS///"
+        meta_search="metalink\s*=\s*https://"
+        meta_repl="metalink=http://HTTPS///"
+        baseurl_expr="s|${baseurl_search}|${baseurl_repl}|w ${changes_file}"
+        meta_expr="s|${meta_search}|${meta_repl}|w ${changes_file}"
         find "${@}" -type f -exec sed -i \
-          -e "s|baseurl\s*=\s*https://|baseurl=http://HTTPS///|w ${changes_file}" \
-          -e "s|metalink\s*=\s*https://|metalink=http://HTTPS///|w ${changes_file}" \
+          -e "${baseurl_expr}" -e "${meta_expr}" \
         {} \+
 
         set --
@@ -136,16 +145,26 @@ EOF
         done
         test -n "${*}" || return 0
 
+        baseurl_search="^\s*#.*baseurl"
+        baseurl_repl="baseurl"
+        meta_search="^\s*metalink\s*=\s*"
+        meta_expr="#metalink="
+        baseurl_expr="s|${baseurl_search}|${baseurl_repl}|w ${changes_file}"
+        meta_expr="s|${meta_search}|${meta_repl}|w ${changes_file}"
         find "${@}" -type f -exec sed -i \
-          -e "s|^\s*#.*baseurl|baseurl|w ${changes_file}" \
-          -e "s|^\s*metalink\s*=\s*|#metalink=|w ${changes_file}" \
+          -e "${baseurl_expr}" -e "${meta_expr}" \
         {} \+
         ;;
 
       uninstall)
+        baseurl_search="baseurl\s*=\s*http://HTTPS///"
+        baseurl_repl="baseurl=https://"
+        meta_search="metalink\s*=\s*http://HTTPS///"
+        meta_repl="metalink=https://"
+        baseurl_expr="s|${baseurl_search}|${baseurl_repl}|w ${changes_file}"
+        meta_expr="s|${meta_search}|${meta_repl}|w ${changes_file}"
         find "${@}" -type f -exec sed -i \
-          -e "s|baseurl\s*=\s*http://HTTPS///|baseurl=https://|w ${changes_file}" \
-          -e "s|metalink\s*=\s*http://HTTPS///|metalink=https://|w ${changes_file}" \
+          -e "${baseurl_expr}" -e "${meta_expr}" \
         {} \+
 
         set --
@@ -194,16 +213,26 @@ EOF
 
     case "${action}" in
       install)
+        sources_search="URIs:\s*https://"
+        sources_repl="URIs: http://HTTPS///"
+        list_search="^\s*\(#*\)\s*deb\(.*\)https://"
+        list_repl="\1deb\2http://HTTPS///"
+        sources_expr="s|${sources_search}|${sources_repl}|w ${changes_file}"
+        list_expr="s|${list_search}|${list_repl}|w ${changes_file}"
         find "${@}" -type f -exec sed -i \
-          -e "s|URIs:\s*https://|URIs: http://HTTPS///|w ${changes_file}" \
-          -e "s|^\s*\(#*\)\s*deb\(.*\)https://|\1deb\2http://HTTPS///|w ${changes_file}" \
+          -e "${list_expr}" -e "${sources_expr}" \
         {} \+
         ;;
 
       uninstall)
+        sources_search="URIs:\s*http://HTTPS///"
+        sources_repl="URIs: https://"
+        list_search="^\s*\(#*\)\s*deb\(.*\)http://HTTPS///"
+        list_repl="\1deb\2https://"
+        sources_expr="s|${sources_search}|${sources_repl}|w ${changes_file}"
+        list_expr="s|${list_search}|${list_repl}|w ${changes_file}"
         find "${@}" -type f -exec sed -i \
-          -e "s|URIs:\s*http://HTTPS///|URIs: https://|w ${changes_file}" \
-          -e "s|^\s*\(#*\)\s*deb\(.*\)http://HTTPS///|\1deb\2https://|w ${changes_file}" \
+          -e "${list_expr}" -e "${sources_expr}" \
         {} \+
         ;;
     esac
@@ -242,21 +271,27 @@ EOF
 
     case "${action}" in
       install)
+        repo_search="Server\s*=\s*https://" \
+        repo_repl="Server = http://HTTPS///"
+        repo_regex="s|${repo_search}|${repo_repl}|w ${changes_file}"
         find "${@}" -type f -exec sed -i \
-          -e "s|Server\s*=\s*https://|Server = http://HTTPS///|w ${changes_file}" \
+          -e "${repo_regex}" \
         {} \+
         ;;
 
       uninstall)
+        repo_search="Server\s*=\s*http://HTTPS///"
+        repo_repl="Server = https://"
+        repo_regex="s|${repo_search}|${repo_repl}|w ${changes_file}"
         find "${@}" -type f -exec sed -i \
-          -e "s|Server\s*=\s*http://HTTPS///|Server = https://|w ${changes_file}" \
+          -e "${repo_regex}" \
         {} \+
         ;;
     esac
 
   else
     ## Gentoo: upstream does not have a good solution:
-    ##   https://wiki.gentoo.org/wiki/Local_distfiles_cache#Configuring_for_Gentoo
+    ## https://wiki.gentoo.org/wiki/Local_distfiles_cache#Configuring_for_Gentoo
     reject_os
   fi
 }

salt/sys-electrs/clone.sls

@@ -9,6 +9,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 {{ clone_template('debian-minimal', 'electrs-builder', include_create=False) }}
 
 {#
+# editorconfig-checker-disable
 TODO: Recheck: Cargo index fetch isis too big to be fetched over tor.
 Impossible to fetch Cargo index over tor as of Bookworm Cargo 1.65.
 Cargo >=1.68 does support "sparse" registry protocol,
@@ -36,4 +37,5 @@ Caused by:
 {#
 {{ clone_template(['debian-minimal', 'whonix-workstation'], sls_path) }}
 {{ clone_template('whonix-workstation', 'electrs-builder', include_create=False) }}
+# editorconfig-checker-enable
 #}

salt/sys-git/files/client/git-core/git-init-qrexec

@@ -11,14 +11,16 @@ case "${GIT_TRACE_HELPER:-}" in
 esac
 
 usage(){
-  echo "Usage: ${helper} [<qube>] [<repository>]"
-  echo "Note: qube defaults to '@default' and repository to the current repository"
+  echo "Usage: ${helper} [<qube>] [<repository>]" >&2
+  echo "Note: qube defaults to @default" >&2
+  echo "Note: repository defaults to current working repository" >&2
   exit 1
 }
 
 is_git_repo(){
   if ! git rev-parse --show-toplevel >/dev/null 2>&1; then
-    echo "Error: Either run from inside a git repository or provide it as an argument" >&2
+    echo "Error: Current working directory is not in a git repository" >&2
+    echo "Error: Run from a repository or pass the name as an argument" >&2
     usage
   fi
 }
@@ -49,7 +51,8 @@ elif command -v qrexec-client >/dev/null; then
     die "Qube doesn't exist: '${authority}'"
   fi
   qvm-start --skip-if-running -- "${authority}"
-  exec qrexec-client -tT -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
+  rpc_cmd="DEFAULT:QUBESRPC ${rpc_cmd} dom0"
+  exec qrexec-client -tT -d "${authority}" -- "${rpc_cmd}"
 fi
 
 die "Qrexec programs not found: qrexec-client-vm, qrexec-client"

salt/sys-git/files/client/git-core/git-remote-qrexec

@@ -12,7 +12,9 @@
 set -eu
 
 usage(){
-  echo "Usage: ${helper} <remote> [${scheme}://<authority>/<path>[?query=value][&other_query=value]]" >&2
+  url_format="${scheme}://<authority>/<path>"
+  url_format="${url_format}[?query=value][&other_query=value]"
+  echo "Usage: ${helper} <remote> [${url_format}]" >&2
 }
 
 die(){

salt/sys-git/files/client/git-core/git-remote-qrexec-connect

@@ -76,8 +76,9 @@ elif command -v qrexec-client >/dev/null; then
     die "Qube doesn't exist: '${authority}'"
   fi
   qvm-start --skip-if-running -- "${authority}"
-  log "->" qrexec-client -T -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
-  exec qrexec-client -T -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
+  rpc_cmd="DEFAULT:QUBESRPC ${rpc_cmd} dom0"
+  log "->" qrexec-client -T -d "${authority}" -- "${rpc_cmd}"
+  exec qrexec-client -T -d "${authority}" -- "${rpc_cmd}"
 fi
 
 die "Qrexec programs not found: qrexec-client-vm, qrexec-client"

salt/sys-git/files/server/rpc/qusal.GitInit

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -24,7 +24,10 @@ fi
 
 if ! (echo "${untrusted_repo}" | grep -q "^[A-Za-z0-9][A-Za-z0-9_.-]\+$")
 then
-  die "Forbidden characters in repository name. Allowed chars: letters, numbers, hyphen, underscore and dot. It cannot begin with hyphen, underscore or dot"
+  msg="Forbidden characters in agent name."
+  msg="${msg} Allowed chars: letters, numbers, hyphen, underscore and dot."
+  msg="${msg} Name cannot begin with hyphen, underscore or dot"
+  die "${msg}"
 fi
 
 ## Length arbitrarily set.
@@ -52,7 +55,8 @@ esac
 
 if test "${action}" != "Init"; then
   test -d "${path}" || die "Directory doesn't exist: ${repo}"
-  git -C "${path}" rev-parse >/dev/null 2>&1 || die "Not a git repository: ${repo}"
+  git -C "${path}" rev-parse >/dev/null 2>&1 ||
+    die "Not a git repository: ${repo}"
   is_bare="$(git -C "${path}" rev-parse --is-bare-repository)"
   test "${is_bare}" = "true" || die "Not a bare repository: ${repo}"
 fi

salt/sys-net/files/server/rpc/qusal.ConnectTCP

@@ -6,11 +6,11 @@
 
 ## How to use with SSH?
 ## On Dom0 Qrexec policy:
-##   qusal.ConnectTCP +domain.tld+22 sshclient @default ask default_target=sshproxy
+##   qusal.ConnectTCP +domain.tld+22 client @default ask default_target=proxy
 ## On Dom0, enable the "qusal-proxy-client" service for the client qube:
-##   qvm-features sshclient service.qusal-proxy-client 1
+##   qvm-features client service.qusal-proxy-client 1
 ## On the SSH Proxy server (netvm of your liking), install this RPC service.
-##   qubesctl --skip-dom0 --targets=sshproxy state.apply sys-net.install-proxy
+##   qubesctl --skip-dom0 --targets=proxy state.apply sys-net.install-proxy
 ## On the client ssh configuration:
 ##   Match Exec "test -f /var/run/qubes-service/qusal-proxy-client"
 ##           ProxyCommand qrexec-client-vm @default qusal.ConnectTCP+%h+%p

salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent

@@ -1,21 +1,28 @@
 #!/bin/sh
 
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 set -eu
 
+die(){
+  echo "error: ${1}" >&2
+  exit 1
+}
+
 untrusted_agent="$QREXEC_SERVICE_ARGUMENT"
 
 if test -z "${untrusted_agent}"; then
-  echo "Agent name is empty" >&2
-  exit 1
+  die "Agent name is empty"
 fi
 
 if ! (echo "${untrusted_agent}" | grep -q "^[A-Za-z0-9][A-Za-z0-9_.-]\+$")
 then
-  die "Forbidden characters in agent name. Allowed chars: letters, numbers, hyphen, underscore and dot. It cannot begin with hyphen, underscore or dot"
+  msg="Forbidden characters in agent name."
+  msg="${msg} Allowed chars: letters, numbers, hyphen, underscore and dot."
+  msg="${msg} Name cannot begin with hyphen, underscore or dot"
+  die "${msg}"
 fi
 
 ## Length arbitrarily set.

salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc

@@ -4,6 +4,7 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-cp -r /rw/config/systemd/qusal-syncthing-browser-forwarder* /usr/lib/systemd/system/
+cp -r /rw/config/systemd/qusal-syncthing-browser-forwarder* \
+  /usr/lib/systemd/system/
 systemctl daemon-reload
 systemctl --no-block restart qusal-syncthing-browser-forwarder.socket

salt/sys-wireguard/files/admin/bin/qvm-wireguard

@@ -48,7 +48,8 @@ qvm-run -u root "$qube" -- "cp ${user_conf} ${system_conf}"
 
 ## TOFU
 # shellcheck disable=SC2016
-endpoint="$(qvm-run -p -u root "$qube" -- awk '/Endpoint/{print $3}' "${system_conf}")"
+endpoint="$(qvm-run -p -u root "$qube" -- awk '/Endpoint/{print $3}' \
+  "${system_conf}")"
 if echo "${endpoint}" | grep -qF "["; then
   ip="${ip##[\[]}"
   ip="${ip%%\]*}"
@@ -70,8 +71,10 @@ fi
 echo "Firewalling $qube to reach only '$ip:$port'"
 qvm-firewall --verbose -- "$qube" reset
 qvm-firewall --verbose -- "$qube" del --rule-no 0
-qvm-firewall --verbose -- "$qube" add accept dsthost="$ip" dstports="$port" proto=udp
-qvm-firewall --verbose -- "$qube" add accept dsthost="$ip" dstports="$port" proto=tcp
+qvm-firewall --verbose -- "$qube" add accept dsthost="$ip" dstports="$port" \
+  proto=udp
+qvm-firewall --verbose -- "$qube" add accept dsthost="$ip" dstports="$port" \
+  proto=tcp
 qvm-firewall --verbose -- "$qube" add drop
 
 if qvm-check -q --paused -- "$qube" >/dev/null 2>&1; then

salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-var

@@ -21,7 +21,9 @@ set_nft_dnat(){
   ipv="${1}" # empty(4), 6
   proto="${2}" # tcp, udp
   dns_host="${3}"
-  set_nft "insert rule ip${ipv} qubes custom-dnat iifgroup 2 ${proto} dport 53 dnat to ${dns_host}"
+  rule_prefix="insert rule ip${ipv} qubes custom-dnat iifgroup 2 ${proto}"
+  rule_suffix="dport 53 dnat to ${dns_host}"
+  set_nft "${rule_prefix} ${rule_suffix}"
 }
 
 dns="$(grep -s "^\s*DNS\s*=\s*\S\+" "${wg_conf}" | sed "s/.*=//;s/ //g")"

scripts/markdown-lint.sh

@@ -40,8 +40,8 @@ fi
 
 case "${find_tool}" in
   fd|fdfind)
-    files="$(${find_tool} . --hidden --exclude .github --type=f --extension=md)"
-    extra_files="$(${find_tool} . --hidden --type=f --extension=md .github)"
+    files="$(${find_tool} . -H -E .github -t f -e md)"
+    extra_files="$(${find_tool} . -H -t f -e md .github)"
     ;;
   find)
     files="$(find . -not -path './.github/*' -type f -name "*.md")"

scripts/qubesbuilder-gen.sh

@@ -20,13 +20,14 @@ if test "${1-}" = "test"; then
 fi
 ignored="$(git ls-files --exclude-standard --others --ignored salt/)"
 untracked="$(git ls-files --exclude-standard --others salt/)"
-unwanted="$(printf %s"${ignored}\n${untracked}\n" | grep "^salt/\S\+/README.md" \
-            | cut -d "/" -f2 | sort -u)"
+unwanted="$(printf %s"${ignored}\n${untracked}\n" |
+  grep "^salt/\S\+/README.md" | cut -d "/" -f2 | sort -u)"
 group="$(./scripts/spec-get.sh dom0 group)"
-projects="$(find salt/ -mindepth 1 -maxdepth 1 -type d \
-            | sort -d | sed "s|^salt/\(\S\+\)|      - rpm_spec/${group}-\1.spec|")"
+projects="$(find salt/ -mindepth 1 -maxdepth 1 -type d | sort -d |
+  sed "s|^salt/\(\S\+\)|      - rpm_spec/${group}-\1.spec|")"
 for unwanted_project in ${unwanted}; do
-  projects="$(echo "${projects}" | sed "\@rpm_spec/${group}-${unwanted_project}.spec@d")"
+  projects="$(echo "${projects}" |
+    sed "\@rpm_spec/${group}-${unwanted_project}.spec@d")"
 done
 
 if test "${1-}" = "print"; then

scripts/salt-fix.sh

@@ -18,8 +18,14 @@ cd "$(git rev-parse --show-toplevel)" || exit 1
 find_tool="$(./scripts/best-program.sh fd fdfind find)"
 
 case "${find_tool}" in
-  fd|fdfind) files="$(${find_tool} . minion.d/ --extension=conf) $(${find_tool} . salt/ --max-depth=2 --type=f --extension=sls)";;
-  find) files="$(find minion.d/ -type f -name "*.conf") $(find salt/ -maxdepth 2 -type f -name '*.sls')";;
+  fd|fdfind)
+    files="$(${find_tool} . minion.d/ --extension=conf)
+      $(${find_tool} . salt/ --max-depth=2 --type=f --extension=sls)"
+    ;;
+  find)
+    files="$(find minion.d/ -type f -name "*.conf")
+      $(find salt/ -maxdepth 2 -type f -name '*.sls')"
+    ;;
 esac
 
 ## 201 - Fix trailing whitespace:

scripts/salt-lint.sh

@@ -31,8 +31,15 @@ if test -n "${1-}"; then
 fi
 
 case "${find_tool}" in
-  fd|fdfind) files="$(${find_tool} . minion.d/ --extension=conf) $(${find_tool} . salt/ --max-depth=2 --type=f --extension=sls --extension=top | sort -d)";;
-  find) files="$(find minion.d/ -type f -name "*.conf") $(find salt/* -maxdepth 2 -type f \( -name '*.sls' -o -name '*.top' \) | sort -d)";;
+  fd|fdfind)
+    files="$(${find_tool} . minion.d/ --e  conf)
+    $(${find_tool} . salt/ -d 2 -t f -e sls -e top | sort -d)"
+    ;;
+  find)
+    files="$(find minion.d/ -type f -name "*.conf")
+    $(find salt/* -maxdepth 2 -type f \( -name '*.sls' -o -name '*.top' \) |
+      sort -d)"
+    ;;
 esac
 
 exec salt-lint ${conf} ${files}

scripts/shell-lint.sh

@@ -13,8 +13,38 @@ command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; }
 cd "$(git rev-parse --show-toplevel)" || exit 1
 ./scripts/requires-program.sh shellcheck file
 
+exit_code=0
 find_tool="$(./scripts/best-program.sh fd fdfind find)"
 
+show_long_lines(){
+  tty_stderr=0
+  if test -t 2; then
+    tty_stderr=1
+  fi
+  awk -v color="${tty_stderr}" '
+    BEGIN {
+      MAGENTA=""
+      GREEN=""
+      RESET=""
+      if (color == 1) {
+        MAGENTA="\033[1;35m"
+        GREEN="\033[1;32m"
+        RESET="\033[0m"
+      }
+    }
+    {
+    nlines++;
+    if (length > 78 && !/^\s*#.*(:\/\/|SPDX-)/) {
+      exit_code=1
+      prefix = MAGENTA FILENAME RESET ":" GREEN FNR RESET
+      print prefix ": line too long: " length " > 78" >"/dev/stderr"
+      if (nlines==NR) { if (exit_code==1) { exit 1; }; }
+    }
+    if (nlines==NR) { if (exit_code==1) { exit 1; }; }
+  }
+  ' "${@}" >&2
+}
+
 if test -n "${1-}"; then
   files=""
   sh_files=""
@@ -32,31 +62,40 @@ if test -n "${1-}"; then
   if test -z "$files" && test -z "$sh_files"; then
     exit 0
   fi
-  test -z "$files" || shellcheck ${files}
-  test -z "$sh_files" || shellcheck -s sh ${sh_files}
-  exit
+  if test -n "${files}" || test -n "${sh_files}"; then
+    show_long_lines ${files} ${sh_files} || exit_code=1
+  fi
+  if test -n "${files}"; then
+    shellcheck ${files} || exit_code=1
+  fi
+  if test -n "${sh_files}"; then
+    shellcheck -s sh ${sh_files} || exit_code=1
+  fi
+  exit "${exit_code}"
 fi
 
 case "${find_tool}" in
   fd|fdfind)
     # shellcheck disable=2016,2215
-    files="$(${find_tool} . scripts/ salt/ --hidden --exclude=zsh --type=f \
-              --exec-batch file | awk -F ":" '/ shell script,/{ print $1 }')"
+    files="$(${find_tool} . scripts/ salt/ -H -E zsh -t f -X file |
+      awk -F ":" '/ shell script,/{ print $1 }')"
     ## No Shebang
     sh_files="$(${find_tool} rc.local salt/ --type=f)"
     ;;
   find)
     files="$(find scripts/ salt/ -not \( -path "*/zsh" -prune \) -type f \
-              -exec file {} \+ | awk -F ":" '/ shell script,/{ print $1 }')"
+      -exec file {} \+ | awk -F ":" '/ shell script,/{ print $1 }')"
     ## No Shebang
     sh_files="$(find salt/ -type f -name "rc.local")"
     ;;
 esac
 
-echo "${files}" | sort -u | tr " " "\n"
-exit
+files="$(echo "$files" | sort -u)"
+sh_files="$(echo "$sh_files" | sort -u)"
 
-#files="$(echo "$files" | sort -u)"
-#sh_files="$(echo "$sh_files" | sort -u)"
-#test -z "${files}" || shellcheck ${files}
-#test -z "${sh_files}" || shellcheck -s sh ${sh_files}
+show_long_lines ${files} ${sh_files} || exit_code=1
+shellcheck ${files} || exit_code=1
+if test -n "$sh_files"; then
+  shellcheck -s sh ${sh_files} || exit_code=1
+fi
+exit "${exit_code}"

scripts/spec-gen.sh

@@ -27,8 +27,10 @@ escape_key(){
 ## Get scriptlet command, else fail safe.
 get_scriptlet(){
   scriptlet="$1"
+  scriptlet_begin="-- pkg:begin:${scriptlet} --"
+  scriptlet_end="-- pkg:end:${scriptlet} --"
   scriptlet="$(sed -n \
-    "/^<\!-- pkg:begin:${scriptlet} -->$/,/^<\!-- pkg:end:${scriptlet} -->$/p" \
+    "/^<\!${scriptlet_begin}>$/,/^<\!${scriptlet_end}>$/p" \
     "${readme}" | sed '/^```.*/d;/^\S*$/d;/^<\!-- pkg:/d;s/^sudo //')"
   if test -z "${scriptlet}"; then
     echo true
@@ -159,7 +161,9 @@ if test "${1-}" = "test"; then
   shift
 fi
 
-if echo "${@}" | grep -qE "(^scripts/| scripts/|/template.spec)" || test -z "${1-}"; then
+if echo "${@}" | grep -qE "(^scripts/| scripts/|/template.spec)" ||
+  test -z "${1-}"
+then
   # shellcheck disable=SC2046
   set -- $(find salt/ -mindepth 1 -maxdepth 1 -type d -printf '%f\n' \
             | sort -d | tr "\n" " ")

scripts/spec-get.sh

@@ -13,7 +13,7 @@ usage(){
   echo "Usage: ${0##*/} <NAME> <KEY>"
   echo "Example: ${0##*/} qubes-builder description"
   echo "Names: ${names}"
-  echo "Keys: ${keys}"
+  echo "Keys: $(echo "${keys}" | tr "\n" " ")"
 }
 
 block_max_chars(){
@@ -21,13 +21,31 @@ block_max_chars(){
   char_value="${2}"
   less_than="${3}"
   if test "${#char_value}" -ge "${less_than}"; then
-    echo "Error: ${char_key} is too long. Must be less than ${less_than} chars." >&2
+    echo "Error: ${char_key} is too long. Must be <${less_than} chars." >&2
     echo "Key contents: ${char_value}" >&2
     exit 1
   fi
 }
 
-keys="name branch group file_roots requires packager vendor url bug_url version project project_dir changelog readme license_csv license description summary saltfiles"
+keys="name
+branch
+group
+file_roots
+requires
+packager
+vendor
+url
+bug_url
+version
+project
+project_dir
+changelog
+readme
+license_csv
+license
+description
+summary
+saltfiles"
 
 name=""
 key=""
@@ -97,7 +115,10 @@ fi
 ## project per directory. The disadvantage of the changelog below is it
 # #doesn't differentiate commits per version and release, but per commit id.
 if test "${key}" = "changelog"; then
-  changelog="$(TZ=UTC0 git log -n 50 --format=format:"* %cd %an <%ae> - %h%n- %s%n" --date=format:"%a %b %d %Y" -- "${project_dir}" | sed -re "s/^- +- */- /")"
+  changelog="$(TZ=UTC0 git log -n 50 \
+    --format=format:"* %cd %an <%ae> - %h%n- %s%n" \
+    --date=format:"%a %b %d %Y" -- "${project_dir}" | \
+    sed -re "s/^- +- */- /")"
 fi
 
 if test "${key}" = "description"; then
@@ -117,7 +138,9 @@ if test "${key}" = "saltfiles" || test "${key}" = "requires"; then
   saltfiles="$(find "${project_dir}" -maxdepth 1 -name "*.sls")"
   # shellcheck disable=SC2086
   if test -n "${saltfiles}"; then
-    requires="$(sed -n '/^include:$/,/^\s*$/p' -- ${saltfiles} | sed "/^\s*- \./d;/{/d" | grep "^\s*- " | cut -d "." -f1 | sort -u | sed "s/- //")"
+    requires="$(sed -n '/^include:$/,/^\s*$/p' -- ${saltfiles} |
+      sed "/^\s*- \./d;/{/d" | grep "^\s*- " | cut -d "." -f1 | sort -u |
+      sed "s/- //")"
     if grep -qrn "{%-\? from \('\|\"\)utils" ${saltfiles}; then
       if test -n "${requires}"; then
         requires="${requires} utils"

scripts/toc-gen.sh

@@ -37,6 +37,7 @@ for f in "$@"; do
   ## This is fragile, the table of contents should have at least one block
   ## separated by an empty line before the nest heading, else it will delete
   ## the rest of the file.
-  vim -c 'norm zRgg' -c '/^## Table of Contents$' -c 'norm jd}k' -c ':GenTocGFM' -c 'norm ddgg' -c wq -- "${f}"
+  vim -c 'norm zRgg' -c '/^## Table of Contents$' -c 'norm jd}k' \
+      -c ':GenTocGFM' -c 'norm ddgg' -c wq -- "${f}"
   echo "Updated TOC in file: $f"
 done