Merge 71bcee715301b4bbd383fc9d6880f5fca7cf8927 into 75aac52edad09eb5f0cdcbe05bcd1c41f83cb28e

2025-04-18 14:35:51 -04:00 · 2025-03-20 04:46:45 +00:00 · 2025-03-20 04:46:45 +00:00 · 29c31dd4f3
commit 29c31dd4f3
parent 75aac52eda 71bcee7153
8 changed files with 171 additions and 0 deletions
--- a/salt/sys-git/README.md
+++ b/salt/sys-git/README.md
@ -102,6 +102,13 @@ Installation on the client template:
 sudo qubesctl --skip-dom0 --targets=tpl-dev state.apply sys-git.install-client
 ```

+To also create one or more appVMs for syncing with remote repositories, uncomment and edit the `syncs` section in `create-sync.sls` and apply:
+
+```sh
+sudo qubesctl state.apply sys-git.create-sync
+sudo qubesctl --skip-dom0 state.apply sys-git.install-sync
+```
+
 ## Access control

 _Default policy_: `any qube` can `ask` via the `@default` target if you allow
@ -216,6 +223,33 @@ Following pushes will be simpler:
 git push
 ```

+### Pushing to external remotes
+
+Neither `sys-git` nor your development environment should require connectivity with remote forges in order to collaborate with remote forges. For e-mail-based patch workflows, you can utilize the `mail` template as an intermediary sender. For other scenarios, we can utilize a `git-sync` VM. This allows us to separate trust zones between development and synchronizing code changes.
+
+In your development environment, synchronize changes to `sys-git`:
+
+```sh
+git remote add sg qrexec://@default/qubes-doc
+git checkout -b patch1
+git push -u sg patch1
+```
+
+In the `git-sync` vm:
+
+```sh
+git clone -o sg -b patch1 qrexec://@default/qubes-doc
+cd qubes-doc
+
+git remote add ghost https://github.com/ghost/qubes-doc
+git fetch ghost master
+# inspect changes
+
+# optionally, resign commit with pgp if you have split-gpg2 set up
+git commit -S --amend
+
+git push -u ghost patch1
+```
 ## Credits

 *   [Unman](https://github.com/unman/shaker/tree/main/git)
--- a/salt/sys-git/clone.sls
+++ b/salt/sys-git/clone.sls
@ -6,3 +6,4 @@ SPDX-License-Identifier: AGPL-3.0-or-later

 {% from 'utils/macros/clone-template.sls' import clone_template -%}
 {{ clone_template('debian-minimal', sls_path) }}
+{{ clone_template('debian-minimal', sls_path ~ '-sync', include_create=False) }}
--- a/salt/sys-git/create-sync.sls
+++ b/salt/sys-git/create-sync.sls
@ -0,0 +1,58 @@
+{#
+SPDX-FileCopyrightText: 2025 The Qusal Community <>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{%- from "qvm/template.jinja" import load -%}
+
+include:
+  - {{ slsdotpath }}.clone
+
+{# TODO: make this properly read configuration from pillar instead of inlined in code #}
+{# % set syncs = [
+  {
+    'name': 'example',
+    'memory': 500,
+    'maxmem': 700,
+    'vcpus': 1,
+  },
+] - #%}
+
+{% if syncs is defined and syncs %}
+{% for vm in syncs -%}
+{% set prefix = slsdotpath ~ "-" ~ vm.name %}
+{% load_yaml as defaults -%}
+name: {{ prefix }}-sync
+force: True
+require:
+- qvm: tpl-{{ slsdotpath }}-sync
+present:
+- template: tpl-{{ slsdotpath }}-sync
+- label: red
+prefs:
+- template: tpl-{{ slsdotpath }}-sync
+- label: red
+- audiovm: ""
+- vcpus: 1
+- memory: 200
+- maxmem: 350
+- include_in_backups: False
+features:
+- enable:
+  - servicevm
+  # - service.split-gpg2-client
+- disable:
+  - service.cups
+  - service.cups-browsed
+  - service.tinyproxy
+- set:
+  - menu-items: "qubes-run-terminal.desktop qubes-start.desktop"
+tags:
+- add:
+  - "git-sync"
+
+{%- endload %}
+{{ load(defaults) }}
+{% endfor %}
+{% endif -%}
--- a/salt/sys-git/create-sync.top
+++ b/salt/sys-git/create-sync.top
@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-git.create-sync
--- a/salt/sys-git/create.sls
+++ b/salt/sys-git/create.sls
@ -50,5 +50,30 @@ features:
    - require:
      - qvm: {{ slsdotpath }}

+{% load_yaml as defaults -%}
+name: {{ slsdotpath }}-sync
+force: True
+require:
+- sls: {{ slsdotpath }}.clone
+present:
+- template: tpl-{{ slsdotpath }}-sync
+- label: gray
+prefs:
+- template: tpl-{{ slsdotpath }}-sync
+- label: gray
+- netvm: ""
+- audiovm: ""
+- vcpus: 1
+- memory: 200
+- maxmem: 300
+features:
+- enable:
+  - servicevm
+- disable:
+  - service.cups
+  - service.cups-browsed
+{%- endload %}
+{{ load(defaults) }}
+
 {% from 'utils/macros/policy.sls' import policy_set with context -%}
 {{ policy_set(sls_path, '80') }}
--- a/salt/sys-git/init.top
+++ b/salt/sys-git/init.top
@ -12,3 +12,5 @@ base:
    - sys-git.install
  'sys-git':
    - sys-git.configure
+  'tpl-sys-git-sync':
+    - sys-git.install-sync
--- a/salt/sys-git/install-sync.sls
+++ b/salt/sys-git/install-sync.sls
@ -0,0 +1,32 @@
+{#
+SPDX-FileCopyrightText: 2025 The Qusal Community <>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if grains['nodename'] != 'dom0' -%}
+
+include:
+  - utils.tools.common.update
+  - {{ slsdotfile }}.install-client
+  - sys-pgp.install-client
+  - sys-ssh-agent.install-client
+  - dotfiles.copy-git
+  - dotfiles.copy-sh
+  - dotfiles.copy-x11
+
+"{{ slsdotpath }}-installed":
+  pkg.installed:
+    - require:
+      - sls: utils.tools.common.update
+    - install_recommends: False
+    - skip_suggestions: True
+    - setopt: "install_weak_deps=False"
+    - pkgs:
+      - qubes-core-agent-networking
+      - ca-certificates
+      - curl
+      - git
+      - man-db
+
+{% endif -%}
--- a/salt/sys-git/install-sync.top
+++ b/salt/sys-git/install-sync.top
@ -0,0 +1,9 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'tpl-sys-git-sync':
+    - sys-git.install-sync