fix: dom0 as sys-git client

The salt module git.config_get does not work in Dom0 and does not have a key to set the system gitconfig.
2025-02-02 10:24:56 -05:00 · 2024-01-18 09:19:40 +01:00 · 2024-01-18 09:19:40 +01:00 · 23bccebaab
commit 23bccebaab
parent 3faa523820
5 changed files with 23 additions and 6 deletions
--- a/salt/dom0/install-dev.sls
+++ b/salt/dom0/install-dev.sls
@ -6,6 +6,9 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 {% if grains['nodename'] == 'dom0' -%}
 include:
  - sys-git.install-client
 "{{ slsdotpath }}-dev-updated":
  pkg.uptodate:
    - refresh: True
--- a/salt/sys-git/README.md
+++ b/salt/sys-git/README.md
@ -6,6 +6,7 @@ Git operations through Qrexec in Qubes OS.
 * [Description](#description)
 * [Alternatives comparison](#alternatives-comparison)
 * [Security](#security)
 * [Installation](#installation)
 * [Access control](#access-control)
 * [Usage](#usage)
@ -42,6 +43,11 @@ implementation:
 | Validates Git communication | False | False | True | False |
 | Verifies tag signature | False | False | True | False |
 ## Security
 It is not possible to filter Git's stdout from a Qrexec call as it is used by
 the local running git process.
 ## Installation
 - Top
--- a/salt/sys-git/files/client/git-core/git-init-qrexec
+++ b/salt/sys-git/files/client/git-core/git-init-qrexec
@ -40,12 +40,12 @@ default_qube="sys-git"
 rpc_cmd="${vendor}.${rpc}+${repo}"
 if command -v qrexec-client-vm >/dev/null; then
-  exec qrexec-client-vm -- "${authority}" "${rpc_cmd}"
+  exec qrexec-client-vm -tT -- "${authority}" "${rpc_cmd}"
 elif command -v qrexec-client >/dev/null; then
  if test "${authority}" = "@default"; then
    authority="${default_qube}"
  fi
-  exec qrexec-client -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
+  exec qrexec-client -tT -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
 fi
 die "Qrexec programs not found: qrexec-client-vm, qrexec-client"
--- a/salt/sys-git/files/client/git-core/git-remote-qrexec-connect
+++ b/salt/sys-git/files/client/git-core/git-remote-qrexec-connect
@ -66,14 +66,14 @@ then
 fi
 if command -v qrexec-client-vm >/dev/null; then
-  log "->" qrexec-client-vm -- "${authority}" "${rpc_cmd}"
+  log "->" qrexec-client-vm -T -- "${authority}" "${rpc_cmd}"
-  exec qrexec-client-vm -- "${authority}" "${rpc_cmd}"
+  exec qrexec-client-vm -T -- "${authority}" "${rpc_cmd}"
 elif command -v qrexec-client >/dev/null; then
  if test "${authority}" = "@default"; then
    authority="${default_qube}"
  fi
-  log "->" qrexec-client -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
+  log "->" qrexec-client -T -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
-  exec qrexec-client -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
+  exec qrexec-client -T -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
 fi
 die "Qrexec programs not found: qrexec-client-vm, qrexec-client"
--- a/salt/sys-git/install-client.sls
+++ b/salt/sys-git/install-client.sls
@ -29,6 +29,9 @@ include:
    'RedHat': {
      'exec_path': '/usr/libexec/git-core',
    },
    'Qubes OS': {
      'exec_path': '/usr/libexec/git-core',
    },
 }.get(grains.os_family) -%}
 "{{ slsdotpath }}-install-client-git-core-dir":
@ -46,3 +49,8 @@ include:
      - mode
      - user
      - group
 "{{ slsdotpath }}-install-client-allow-protocol":
  cmd.run:
    - name: git config --system protocol.qrexec.allow always
    - runas: root