Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2025-08-21 12:18:22 -04:00
Code Issues Projects Releases Packages Wiki Activity

fix: less intrusive kicksecure default install

Browse source 
- Do not remove sources.list;
- Move broken packages to separate state;
- Rename to developers state and explain it breaks boot;
- Remove settings that are already the default;
- Remove configuration that is deprecated and
- Remove deprecated packages;

Fixes: https://github.com/ben-grande/qusal/issues/4
Fixes: https://github.com/ben-grande/qusal/issues/5
Fixes: https://github.com/ben-grande/qusal/issues/6
Fixes: https://github.com/ben-grande/qusal/issues/7
Fixes: https://github.com/ben-grande/qusal/issues/9
Fixes: https://github.com/ben-grande/qusal/issues/11
Fixes: https://github.com/ben-grande/qusal/issues/13
This commit is contained in:
Ben Grande 2024-02-01 17:40:26 +01:00
parent e35c9fbf4b
commit 4b87d937df
No known key found for this signature in database
GPG key ID: 00C64E14F51F9E56
5 changed files with 20 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

6
salt/kicksecure-minimal/README.md
View file

@ -33,10 +33,10 @@ qubesctl state.apply kicksecure-minimal.prefs
<!-- pkg:end:post-install --> <!-- pkg:end:post-install -->
If you want to help improve Kicksecure integration on Qubes, install packages If you want to help improve Kicksecure integration on Qubes, install packages
that are known to be broken on Qubes and report bugs upstream (get a terminal that are known to be broken on Qubes and can break the boot of the Kicksecure
with `qvm-console-dispvm`): Qube, to report bugs upstream (get a terminal with `qvm-console-dispvm`):
```sh ```sh
qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-minimal.install-testing qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-minimal.install-developers
``` ```
## Usage ## Usage

10
salt/kicksecure-minimal/files/template/grub.d/40_qusal.cfg
View file

@ -1,10 +0,0 @@
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
# Values for the parameter "remountsecure"
# 0: disable remount secure
# 1: remount with nodev and nosuid
# 2: remount with nodev, nosuid and noexec for most mount points excluding /home
# 3: remount with nodev, nosuid, noexec for all mount points including /home
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3"

24
salt/kicksecure-minimal/install-testing.sls → salt/kicksecure-minimal/install-developers.sls
View file

@ -11,6 +11,19 @@ Most likely the GUI agent will break, use qvm-console-dispvm to get a terminal.
include: include:
- kicksecure-minimal.install - kicksecure-minimal.install
"{{ slsdotpath }}-developers-updated":
pkg.uptodate:
- refresh: True
"{{ slsdotpath }}-developers-installed":
pkg.installed:
- refresh: True
- install_recommends: False
- skip_suggestions: True
- pkgs:
- lkrg
- tirdad
## Breaks systemd service qubes-gui-agent ## Breaks systemd service qubes-gui-agent
"{{ slsdotpath }}-proc-hidepid-enabled": "{{ slsdotpath }}-proc-hidepid-enabled":
service.enabled: service.enabled:
@ -50,17 +63,6 @@ include:
- pkg: "{{ slsdotpath }}-installed" - pkg: "{{ slsdotpath }}-installed"
- name: remount-secure - name: remount-secure
"{{ slsdotpath }}-remount-secure-grub-cfg":
file.managed:
- require:
- service: "{{ slsdotpath }}-remount-secure-enabled"
- name: /etc/default/grub.d/40_qusal.cfg
- source: salt://{{ slsdotpath }}/files/template/grub.d/40_qusal.cfg
- mode: '0600'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-update-grub": "{{ slsdotpath }}-update-grub":
cmd.run: cmd.run:
- require: - require:

2
salt/kicksecure-minimal/install-testing.top → salt/kicksecure-minimal/install-developers.top
View file

@ -7,4 +7,4 @@ SPDX-License-Identifier: AGPL-3.0-or-later
base: base:
'I@qubes:type:template and E@^kicksecure-[0-9][0-9]-minimal$': 'I@qubes:type:template and E@^kicksecure-[0-9][0-9]-minimal$':
- match: compound - match: compound
- kicksecure-minimal.install-testing - kicksecure-minimal.install-developers

16
salt/kicksecure-minimal/install.sls
View file

@ -30,31 +30,21 @@ include:
- skip_suggestions: True - skip_suggestions: True
- pkgs: - pkgs:
- kicksecure-qubes-cli - kicksecure-qubes-cli
- lkrg-dkms
- hardened-kernel
- tirdad
- linux-image-amd64 - linux-image-amd64
- linux-headers-amd64 - linux-headers-amd64
- grub2 - grub2
- qubes-kernel-vm-support - qubes-kernel-vm-support
"{{ slsdotpath }}-remove-debian-default-sources.list": "{{ slsdotpath }}-remove-debian-default-sources.list":
file.absent: file.comment:
- require: - require:
- pkg: "{{ slsdotpath }}-installed" - pkg: "{{ slsdotpath }}-installed"
- name: /etc/apt/sources.list - name: /etc/apt/sources.list
- regex: "^\s*deb"
"{{ slsdotpath }}-permission-hardener-enabled": - ignore_missing: True
service.enabled:
- require:
- pkg: "{{ slsdotpath }}-installed"
- name: permission-hardening
#- name: permission-hardener
"{{ slsdotpath }}-permission-hardener-conf": "{{ slsdotpath }}-permission-hardener-conf":
file.managed: file.managed:
- require:
- service: "{{ slsdotpath }}-permission-hardener-enabled"
- name: /etc/permission-hardener.d/40_qusal.conf - name: /etc/permission-hardener.d/40_qusal.conf
- source: salt://{{ slsdotpath }}/files/template/permission-hardener.d/40_qusal.conf - source: salt://{{ slsdotpath }}/files/template/permission-hardener.d/40_qusal.conf
- mode: '0600' - mode: '0600'