diff --git a/salt/kicksecure-minimal/README.md b/salt/kicksecure-minimal/README.md index 210af35..3406ad9 100644 --- a/salt/kicksecure-minimal/README.md +++ b/salt/kicksecure-minimal/README.md @@ -33,10 +33,10 @@ qubesctl state.apply kicksecure-minimal.prefs If you want to help improve Kicksecure integration on Qubes, install packages -that are known to be broken on Qubes and report bugs upstream (get a terminal -with `qvm-console-dispvm`): +that are known to be broken on Qubes and can break the boot of the Kicksecure +Qube, to report bugs upstream (get a terminal with `qvm-console-dispvm`): ```sh -qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-minimal.install-testing +qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-minimal.install-developers ``` ## Usage diff --git a/salt/kicksecure-minimal/files/template/grub.d/40_qusal.cfg b/salt/kicksecure-minimal/files/template/grub.d/40_qusal.cfg deleted file mode 100644 index d5cc0bf..0000000 --- a/salt/kicksecure-minimal/files/template/grub.d/40_qusal.cfg +++ /dev/null @@ -1,10 +0,0 @@ -# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. -# -# SPDX-License-Identifier: AGPL-3.0-or-later - -# Values for the parameter "remountsecure" -# 0: disable remount secure -# 1: remount with nodev and nosuid -# 2: remount with nodev, nosuid and noexec for most mount points excluding /home -# 3: remount with nodev, nosuid, noexec for all mount points including /home -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" diff --git a/salt/kicksecure-minimal/install-testing.sls b/salt/kicksecure-minimal/install-developers.sls similarity index 83% rename from salt/kicksecure-minimal/install-testing.sls rename to salt/kicksecure-minimal/install-developers.sls index fd2120f..9c829bf 100644 --- a/salt/kicksecure-minimal/install-testing.sls +++ b/salt/kicksecure-minimal/install-developers.sls @@ -11,6 +11,19 @@ Most likely the GUI agent will break, use qvm-console-dispvm to get a terminal. include: - kicksecure-minimal.install +"{{ slsdotpath }}-developers-updated": + pkg.uptodate: + - refresh: True + +"{{ slsdotpath }}-developers-installed": + pkg.installed: + - refresh: True + - install_recommends: False + - skip_suggestions: True + - pkgs: + - lkrg + - tirdad + ## Breaks systemd service qubes-gui-agent "{{ slsdotpath }}-proc-hidepid-enabled": service.enabled: @@ -50,17 +63,6 @@ include: - pkg: "{{ slsdotpath }}-installed" - name: remount-secure -"{{ slsdotpath }}-remount-secure-grub-cfg": - file.managed: - - require: - - service: "{{ slsdotpath }}-remount-secure-enabled" - - name: /etc/default/grub.d/40_qusal.cfg - - source: salt://{{ slsdotpath }}/files/template/grub.d/40_qusal.cfg - - mode: '0600' - - user: root - - group: root - - makedirs: True - "{{ slsdotpath }}-update-grub": cmd.run: - require: diff --git a/salt/kicksecure-minimal/install-testing.top b/salt/kicksecure-minimal/install-developers.top similarity index 83% rename from salt/kicksecure-minimal/install-testing.top rename to salt/kicksecure-minimal/install-developers.top index a17ecef..95aaddd 100644 --- a/salt/kicksecure-minimal/install-testing.top +++ b/salt/kicksecure-minimal/install-developers.top @@ -7,4 +7,4 @@ SPDX-License-Identifier: AGPL-3.0-or-later base: 'I@qubes:type:template and E@^kicksecure-[0-9][0-9]-minimal$': - match: compound - - kicksecure-minimal.install-testing + - kicksecure-minimal.install-developers diff --git a/salt/kicksecure-minimal/install.sls b/salt/kicksecure-minimal/install.sls index 6591157..7de344e 100644 --- a/salt/kicksecure-minimal/install.sls +++ b/salt/kicksecure-minimal/install.sls @@ -30,31 +30,21 @@ include: - skip_suggestions: True - pkgs: - kicksecure-qubes-cli - - lkrg-dkms - - hardened-kernel - - tirdad - linux-image-amd64 - linux-headers-amd64 - grub2 - qubes-kernel-vm-support "{{ slsdotpath }}-remove-debian-default-sources.list": - file.absent: + file.comment: - require: - pkg: "{{ slsdotpath }}-installed" - name: /etc/apt/sources.list - -"{{ slsdotpath }}-permission-hardener-enabled": - service.enabled: - - require: - - pkg: "{{ slsdotpath }}-installed" - - name: permission-hardening - #- name: permission-hardener + - regex: "^\s*deb" + - ignore_missing: True "{{ slsdotpath }}-permission-hardener-conf": file.managed: - - require: - - service: "{{ slsdotpath }}-permission-hardener-enabled" - name: /etc/permission-hardener.d/40_qusal.conf - source: salt://{{ slsdotpath }}/files/template/permission-hardener.d/40_qusal.conf - mode: '0600'