feat: unattended qubes-builder build

Split-gpg2 allows to isolate GPG home directories. In the future, enforcing this setting via drop-in configuration would be safer, depends on https://github.com/QubesOS/qubes-issues/issues/8792.
2025-07-28 17:04:10 -04:00 · 2024-01-05 17:24:14 +01:00 · 2024-01-05 17:24:14 +01:00 · 132431aebd
commit 132431aebd
parent 6bf6da56fb
2 changed files with 4 additions and 6 deletions
--- a/salt/qubes-builder/README.md
+++ b/salt/qubes-builder/README.md
@ -49,10 +49,8 @@ qubesctl --skip-dom0 --targets=qubes-builder state.apply qubes-builder.configure
 The policy is based on `qubes-builderv2/rpc/50-qubesbuilder.policy`.
 Extra services added are `qubes.Gpg2`, `qusal.GitInit`, `qusal.GitFetch`,
-`qusal.GitPush`, `qusal.SshAgent`.
+`qusal.GitPush`, `qusal.SshAgent`. Necessary services are allowed to have an
-
+unattended build.
 Out of these services, if an argument `+qubes-builder` can be specified to
 limit the scope, the action is `allowed`, else the action is to `ask`.
 ## Usage
--- a/salt/qubes-builder/files/admin/policy/default.policy
+++ b/salt/qubes-builder/files/admin/policy/default.policy
@ -5,11 +5,11 @@
 ## Do not modify this file, create a new policy with with a lower number in the
 ## file name instead. For example `30-user.policy`.
-qubes.Gpg2 * {{ sls_path }} @default ask target=sys-pgp default_target=sys-pgp
+qubes.Gpg2 * {{ sls_path }} @default allow target=sys-pgp
 qusal.GitInit  +qubes-builder {{ sls_path }} @default allow target=sys-git
 qusal.GitFetch +qubes-builder {{ sls_path }} @default allow target=sys-git
-qusal.GitPush  +qubes-builder {{ sls_path }} @default ask   target=sys-git default_target=sys-pgp
+qusal.GitPush  +qubes-builder {{ sls_path }} @default ask   target=sys-git default_target=sys-git
 qusal.SshAgent +qubes-builder {{ sls_path }} @default allow target=sys-ssh-agent
 qusal.SshAgent +qubes-builder {{ sls_path }} @anyvm deny