fix: less intrusive kicksecure default install

- Do not remove sources.list;
- Move broken packages to separate state;
- Rename to developers state and explain it breaks boot;
- Remove settings that are already the default;
- Remove configuration that is deprecated and
- Remove deprecated packages;

Fixes: https://github.com/ben-grande/qusal/issues/4
Fixes: https://github.com/ben-grande/qusal/issues/5
Fixes: https://github.com/ben-grande/qusal/issues/6
Fixes: https://github.com/ben-grande/qusal/issues/7
Fixes: https://github.com/ben-grande/qusal/issues/9
Fixes: https://github.com/ben-grande/qusal/issues/11
Fixes: https://github.com/ben-grande/qusal/issues/13

salt/kicksecure-minimal/README.md

@@ -33,10 +33,10 @@ qubesctl state.apply kicksecure-minimal.prefs
 <!-- pkg:end:post-install -->
 
 If you want to help improve Kicksecure integration on Qubes, install packages
-that are known to be broken on Qubes and report bugs upstream (get a terminal
-with `qvm-console-dispvm`):
+that are known to be broken on Qubes and can break the boot of the Kicksecure
+Qube, to report bugs upstream (get a terminal with `qvm-console-dispvm`):
 ```sh
-qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-minimal.install-testing
+qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-minimal.install-developers
 ```
 
 ## Usage

salt/kicksecure-minimal/files/template/grub.d/40_qusal.cfg

@@ -1,10 +0,0 @@
-# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-# Values for the parameter "remountsecure"
-# 0: disable remount secure
-# 1: remount with nodev and nosuid
-# 2: remount with nodev, nosuid and noexec for most mount points excluding /home
-# 3: remount with nodev, nosuid, noexec for all mount points including /home
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3"

salt/kicksecure-minimal/install-developers.sls

@@ -11,6 +11,19 @@ Most likely the GUI agent will break, use qvm-console-dispvm to get a terminal.
 include:
   - kicksecure-minimal.install
 
+"{{ slsdotpath }}-developers-updated":
+  pkg.uptodate:
+    - refresh: True
+
+"{{ slsdotpath }}-developers-installed":
+  pkg.installed:
+    - refresh: True
+    - install_recommends: False
+    - skip_suggestions: True
+    - pkgs:
+      - lkrg
+      - tirdad
+
 ## Breaks systemd service qubes-gui-agent
 "{{ slsdotpath }}-proc-hidepid-enabled":
   service.enabled:
@@ -50,17 +63,6 @@ include:
       - pkg: "{{ slsdotpath }}-installed"
     - name: remount-secure
 
-"{{ slsdotpath }}-remount-secure-grub-cfg":
-  file.managed:
-    - require:
-      - service: "{{ slsdotpath }}-remount-secure-enabled"
-    - name: /etc/default/grub.d/40_qusal.cfg
-    - source: salt://{{ slsdotpath }}/files/template/grub.d/40_qusal.cfg
-    - mode: '0600'
-    - user: root
-    - group: root
-    - makedirs: True
-
 "{{ slsdotpath }}-update-grub":
   cmd.run:
     - require:

salt/kicksecure-minimal/install-developers.top

@@ -7,4 +7,4 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 base:
   'I@qubes:type:template and E@^kicksecure-[0-9][0-9]-minimal$':
     - match: compound
-    - kicksecure-minimal.install-testing
+    - kicksecure-minimal.install-developers

salt/kicksecure-minimal/install.sls

@@ -30,31 +30,21 @@ include:
     - skip_suggestions: True
     - pkgs:
       - kicksecure-qubes-cli
-      - lkrg-dkms
-      - hardened-kernel
-      - tirdad
       - linux-image-amd64
       - linux-headers-amd64
       - grub2
       - qubes-kernel-vm-support
 
 "{{ slsdotpath }}-remove-debian-default-sources.list":
-  file.absent:
+  file.comment:
     - require:
       - pkg: "{{ slsdotpath }}-installed"
     - name: /etc/apt/sources.list
-
-"{{ slsdotpath }}-permission-hardener-enabled":
-  service.enabled:
-    - require:
-      - pkg: "{{ slsdotpath }}-installed"
-    - name: permission-hardening
-    #- name: permission-hardener
+    - regex: "^\s*deb"
+    - ignore_missing: True
 
 "{{ slsdotpath }}-permission-hardener-conf":
   file.managed:
-    - require:
-      - service: "{{ slsdotpath }}-permission-hardener-enabled"
     - name: /etc/permission-hardener.d/40_qusal.conf
     - source: salt://{{ slsdotpath }}/files/template/permission-hardener.d/40_qusal.conf
     - mode: '0600'