feat: deploy Qusal Builder configuration

For: https://github.com/ben-grande/qusal/issues/59

.reuse/dep5

@@ -57,6 +57,10 @@ Copyright: The Qubes OS Project <https://www.qubes-os.org>
            Simon Gaiser <simon@invisiblethingslab.com>
 License: CC0-1.0
 
+Files: salt/qubes-builder/files/client/qusal/keys/*
+Copyright: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+License: CC0-1.0
+
 Files: salt/kicksecure-minimal/files/template/ld.so.preload
 Copyright: 2014 Patrick Schleizer <adrelanos@kicksecure.com>
 License: CC0-1.0

salt/qubes-builder/README.md

@@ -56,6 +56,11 @@ is recommended to install some development goodies:
 sudo qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply qubes-builder.install-dev
 ```
 
+If you plan on building Qusal packages (Development only):
+```sh
+sudo qubesctl --skip-dom0 --targets=qubes-builder state.apply qubes-builder.configure-qusal
+```
+
 ## Access Control
 
 The policy is based on `qubes-builderv2/rpc/50-qubesbuilder.policy`.
@@ -94,3 +99,19 @@ executor:
 ```
 Setting the Disposable VM  to Dom0 works because it will use the
 `default_dispvm` preference of `qubes-builder`, which is `dvm-qubes-builder`.
+
+### Build Qusal
+
+**Warning**: development only.
+
+You can easily build Qusal as a default configuration is provided.
+
+Place only the following in `builder.yml`:
+```yaml
+include:
+  - ../qusal-builder/qusal.yml
+```
+
+To run the `sign` state, you will need to change the configuration option
+`sign-key:rpm:KEY` to your key fingerprint as well as import the same key to
+the default GnuPG home directory `~/.gnupg`.

salt/qubes-builder/configure-qusal.sls

@@ -0,0 +1,69 @@
+{#
+SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if grains['nodename'] != 'dom0' -%}
+
+include:
+  - .configure
+
+"{{ slsdotpath }}-makedir-qusal-builder":
+  file.directory:
+    - name: /home/user/src/qusal-builder
+    - user: user
+    - group: user
+    - mode: '0755'
+    - makedirs: True
+
+"{{ slsdotpath }}-qusal-save-configuration":
+  file.recurse:
+    - require:
+      - file: "{{ slsdotpath }}-makedir-qusal-builder"
+    - name: /home/user/src/qusal-builder
+    - source: salt://{{ slsdotpath }}/files/client/qusal/
+    - user: user
+    - group: user
+    - file_mode: '0644'
+    - dir_mode: '0755'
+    - makedirs: True
+
+"{{ slsdotpath }}-qusal-gnupg-home":
+  file.directory:
+    - name: /home/user/.gnupg/qusal-builder
+    - user: user
+    - group: user
+    - mode: '0700'
+    - makedirs: True
+
+"{{ slsdotpath }}-qusal-save-keys":
+  file.recurse:
+    - require:
+      - file: "{{ slsdotpath }}-qusal-gnupg-home"
+    - name: /home/user/.gnupg/qusal-builder/download/
+    - source: salt://{{ slsdotpath }}/files/client/qusal/keys/
+    - user: user
+    - group: user
+    - file_mode: '0600'
+    - dir_mode: '0700'
+    - makedirs: True
+
+"{{ slsdotpath }}-qusal-import-keys":
+  cmd.run:
+    - require:
+      - file: "{{ slsdotpath }}-qusal-save-keys"
+    - name: gpg --status-fd=2 --homedir . --import download/*.asc
+    - cwd: /home/user/.gnupg/qusal-builder
+    - runas: user
+    - success_stderr: IMPORT_OK
+
+"{{ slsdotpath }}-qusal-import-ownertrust":
+  cmd.run:
+    - require:
+      - cmd: "{{ slsdotpath }}-qusal-import-keys"
+    - name: gpg --homedir . --import-ownertrust download/otrust.txt
+    - cwd: /home/user/.gnupg/qusal-builder
+    - runas: user
+
+{% endif -%}

salt/qubes-builder/configure-qusal.top

@@ -0,0 +1,9 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'qubes-builder':
+    - qubes-builder.configure-qusal

salt/qubes-builder/files/client/qusal/keys/DF3834875B65758713D93E91A475969DE4E371E3.asc

@@ -0,0 +1,25 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZGZAKxYJKwYBBAHaRw8BAQdAzFB23KFLShkm+1ES6N8i6HVJ1B7Krqj0yXo3
+L/l30NCIywQfFgoAfQWCZGZAKwMLCQcJEKR1lp3k43HjRxQAAAAAAB4AIHNhbHRA
+bm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZyeI6TGfVTZAp3yhEOrLKTMwsOPF/yIH
+mt8kAJlr2HGmAxUKCAKbAQIeARYhBN84NIdbZXWHE9kukaR1lp3k43HjAABdQwEA
+whLqF/ei31DnMQKwvg+b7zPYbm/q8D9uyGkfcVkbZygA/0ddoR7N2btc+Xkq9YO0
+HUBq0fh4kZKoXhigN80rM1oBtDZCZW4gR3JhbmRlIChDb2RlIHNpZ25pbmcga2V5
+KSA8YmVuLmdyYW5kZS5iQGdtYWlsLmNvbT6IzgQTFgoAgAWCZGZAKwMLCQcJEKR1
+lp3k43HjRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ2Nk
+JbOh6BctVi8+X8FzBteAzpLjefrZYuRm6rkYv8ZDAxUKCAKZAQKbAQIeARYhBN84
+NIdbZXWHE9kukaR1lp3k43HjAAA+vgD/Sejx9K2Zvre5upU6C7ir2WZRqEPCKvy5
+wFU1h4N+40wBAMr/WsLSJSD6TOwgdYfBDczEue1gc6zP+xA7Or7VujICuDMEZGZA
+KxYJKwYBBAHaRw8BAQdALj8b1CVE4cqUI3gSFGaZW+af9DIwCzBygvo83iG1xJKJ
+AYIEGBYKATQFgmRmQCsJEKR1lp3k43HjRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z
+LnNlcXVvaWEtcGdwLm9yZ2iMz6GUuNxM1dDPp3PXPgsGGGlKi/vU+sojIkznrYCc
+ApsCAh4BvqAEGRYKAG8FgmRmQCsJEADGThT1H55WRxQAAAAAAB4AIHNhbHRAbm90
+YXRpb25zLnNlcXVvaWEtcGdwLm9yZwTyiHExlhRK2ulMEfrIv0IhSOEhTWDj8oi7
+aXjg7pt0FiEE79pdfpoB+pm/oGLhAMZOFPUfnlYAAMIvAQDB/ARSBZyN+L8L7OA9
+RLfUyNSUuQJltnIj0ljM2V8FZQD/b2mwtdYsSm1C10ftPSbTpeFVCTkkAK626QWQ
+yXQTxQcWIQTfODSHW2V1hxPZLpGkdZad5ONx4wAAfzIA/R1eIybunPwpAziHhMxN
+IP6iA/8/w1F6Li4ImZ/QhYW5AQCi8+0e8/NgQaI4FEqs/36cfi17XL5C5VbvbKi4
+0g+rDQ==
+=CkKA
+-----END PGP PUBLIC KEY BLOCK-----

salt/qubes-builder/files/client/qusal/keys/otrust.txt

@@ -0,0 +1,3 @@
+# List of assigned trustvalues, created Thu 02 Nov 2023 09:43:48 PM UTC
+# (Use "gpg --import-ownertrust" to restore them)
+DF3834875B65758713D93E91A475969DE4E371E3:6:

salt/qubes-builder/files/client/qusal/qusal.yml

@@ -15,7 +15,7 @@ git:
     - DF3834875B65758713D92E91A475969DE4E371E3
 
 key-dirs:
-  - ../qusal/keys/
+  - ../qusal-builder/keys/
 backend-vmm: xen
 debug: true
 verbose: true