diff --git a/salt/mirage-builder/configure.sls b/salt/mirage-builder/configure.sls index 3a2706c..a15870c 100644 --- a/salt/mirage-builder/configure.sls +++ b/salt/mirage-builder/configure.sls @@ -40,16 +40,34 @@ include: - mode: '0700' - makedirs: True -"{{ slsdotpath }}-keyring-and-trustdb": - file.managed: +"{{ slsdotpath }}-save-keys": + file.recurse: + - require: + - file: "{{ slsdotpath }}-gnupg-home" + - name: /home/user/.gnupg/mirage-firewall/download/ + - source: salt://{{ slsdotpath }}/files/client/keys/ - user: user - group: user - - mode: '0600' - - names: - - /home/user/.gnupg/mirage-firewall/pubring.kbx: - - source: salt://{{ slsdotpath }}/files/client/keys/pubring.kbx - - /home/user/.gnupg/mirage-firewall/trustdb.gpg: - - source: salt://{{ slsdotpath }}/files/client/keys/trustdb.gpg + - file_mode: '0600' + - dir_mode: '0700' + - makedirs: True + +"{{ slsdotpath }}-import-keys": + cmd.run: + - require: + - file: "{{ slsdotpath }}-save-keys" + - name: gpg --status-fd=2 --homedir . --import download/*.asc + - cwd: /home/user/.gnupg/mirage-firewall + - runas: user + - success_stderr: IMPORT_OK + +"{{ slsdotpath }}-import-ownertrust": + cmd.run: + - require: + - cmd: "{{ slsdotpath }}-import-keys" + - name: gpg --homedir . --import-ownertrust download/otrust.txt + - cwd: /home/user/.gnupg/mirage-firewall + - runas: user "{{ slsdotpath }}-git-clone": git.latest: @@ -83,7 +101,7 @@ include: - mode: '0755' - makedirs: True -{% if salt['grains.get']('os_family') = 'RedHat' -%} +{% if salt['grains.get']('os_family') == 'RedHat' -%} "{{ slsdotpath }}-file-security-context": cmd.run: - name: chcon -Rt container_file_t /home/user/docker diff --git a/salt/mirage-builder/files/client/keys/pubring.kbx b/salt/mirage-builder/files/client/keys/pubring.kbx deleted file mode 100644 index 25df668..0000000 Binary files a/salt/mirage-builder/files/client/keys/pubring.kbx and /dev/null differ diff --git a/salt/mirage-builder/files/client/keys/trustdb.gpg b/salt/mirage-builder/files/client/keys/trustdb.gpg deleted file mode 100644 index e08b410..0000000 Binary files a/salt/mirage-builder/files/client/keys/trustdb.gpg and /dev/null differ diff --git a/salt/qubes-builder/configure.sls b/salt/qubes-builder/configure.sls index 94da951..0e78ba2 100644 --- a/salt/qubes-builder/configure.sls +++ b/salt/qubes-builder/configure.sls @@ -43,29 +43,48 @@ include: - target: /home/user/src/qubes-infrastructure-mirrors - user: user -"{{ slsdotpath }}-gnupg-home-for-builder": +"{{ slsdotpath }}-gnupg-home": file.directory: - name: /home/user/.gnupg/qubes-builder - user: user - group: user - mode: '0700' -"{{ slsdotpath }}-keyring-and-trustdb": - file.managed: +"{{ slsdotpath }}-save-keys": + file.recurse: + - require: + - file: "{{ slsdotpath }}-gnupg-home" + - name: /home/user/.gnupg/qubes-builder/download/ + - source: salt://{{ slsdotpath }}/files/client/keys/ - user: user - group: user - - mode: '0600' - - names: - - /home/user/.gnupg/qubes-builder/pubring.kbx: - - source: salt://{{ slsdotpath }}/files/client/keys/pubring.kbx - - /home/user/.gnupg/qubes-builder/trustdb.gpg: - - source: salt://{{ slsdotpath }}/files/client/keys/trustdb.gpg + - file_mode: '0600' + - dir_mode: '0700' + - makedirs: True + +"{{ slsdotpath }}-import-keys": + cmd.run: + - require: + - file: "{{ slsdotpath }}-save-keys" + - name: gpg --status-fd=2 --homedir . --import download/*.asc + - cwd: /home/user/.gnupg/qubes-builder + - runas: user + - success_stderr: IMPORT_OK + +"{{ slsdotpath }}-import-ownertrust": + cmd.run: + - require: + - cmd: "{{ slsdotpath }}-import-keys" + - name: gpg --homedir . --import-ownertrust download/otrust.txt + - cwd: /home/user/.gnupg/qubes-builder + - runas: user "{{ slsdotpath }}-git-verify-HEAD-builderv2": cmd.run: - require: - git: "{{ slsdotpath }}-git-clone-builderv2" - - name: GNUPGHOME="$HOME/.gnupg/qubes-builder" git -c gpg.program=gpg2 verify-commit "HEAD^{commit}" + - cmd: "{{ slsdotpath }}-import-ownertrust" + - name: GNUPGHOME="$HOME/.gnupg/qubes-builder" git -c gpg.program=gpg2 verify-tag "$(git describe --tags --abbrev=0)" - cwd: /home/user/src/qubes-builderv2 - runas: user @@ -73,6 +92,7 @@ include: cmd.run: - require: - git: "{{ slsdotpath }}-git-clone-infrastructure-mirrors" + - cmd: "{{ slsdotpath }}-import-ownertrust" - name: GNUPGHOME="$HOME/.gnupg/qubes-builder" git -c gpg.program=gpg2 verify-commit "HEAD^{commit}" - cwd: /home/user/src/qubes-infrastructure-mirrors - runas: user diff --git a/salt/qubes-builder/files/admin/policy/default.policy b/salt/qubes-builder/files/admin/policy/default.policy index 1051544..5953898 100644 --- a/salt/qubes-builder/files/admin/policy/default.policy +++ b/salt/qubes-builder/files/admin/policy/default.policy @@ -5,11 +5,11 @@ ## Do not modify this file, create a new policy with with a lower number in the ## file name instead. For example `30-user.policy`. -qubes.Gpg2 * {{ sls_path }} @default ask target=sys-pgp +qubes.Gpg2 * {{ sls_path }} @default ask target=sys-pgp default_target=sys-pgp qusal.GitInit +qubes-builder {{ sls_path }} @default allow target=sys-git qusal.GitFetch +qubes-builder {{ sls_path }} @default allow target=sys-git -qusal.GitPush +qubes-builder {{ sls_path }} @default ask target=sys-git +qusal.GitPush +qubes-builder {{ sls_path }} @default ask target=sys-git default_target=sys-pgp qusal.SshAgent +qubes-builder {{ sls_path }} @default allow target=sys-ssh-agent qusal.SshAgent +qubes-builder {{ sls_path }} @anyvm deny diff --git a/salt/qubes-builder/files/client/keys/pubring.kbx b/salt/qubes-builder/files/client/keys/pubring.kbx deleted file mode 100644 index 541232e..0000000 Binary files a/salt/qubes-builder/files/client/keys/pubring.kbx and /dev/null differ diff --git a/salt/qubes-builder/files/client/keys/trustdb.gpg b/salt/qubes-builder/files/client/keys/trustdb.gpg deleted file mode 100644 index d752346..0000000 Binary files a/salt/qubes-builder/files/client/keys/trustdb.gpg and /dev/null differ diff --git a/salt/sys-pihole/files/server/keys/pubring.kbx b/salt/sys-pihole/files/server/keys/pubring.kbx deleted file mode 100644 index 25df668..0000000 Binary files a/salt/sys-pihole/files/server/keys/pubring.kbx and /dev/null differ diff --git a/salt/sys-pihole/files/server/keys/trustdb.gpg b/salt/sys-pihole/files/server/keys/trustdb.gpg deleted file mode 100644 index e08b410..0000000 Binary files a/salt/sys-pihole/files/server/keys/trustdb.gpg and /dev/null differ diff --git a/salt/sys-pihole/install.sls b/salt/sys-pihole/install.sls index 29bd530..047dd26 100644 --- a/salt/sys-pihole/install.sls +++ b/salt/sys-pihole/install.sls @@ -78,7 +78,7 @@ include: - target: /root/pi-hole - force_fetch: True -"{{ slsdotpath }}-gnupg-home-for-pihole": +"{{ slsdotpath }}-gnupg-home": file.directory: - name: /root/.gnupg/pihole - user: root @@ -86,16 +86,34 @@ include: - mode: '0700' - makedirs: True -"{{ slsdotpath }}-keyring-and-trustdb": - file.managed: - - user: root - - group: root - - mode: '0600' - - names: - - /root/.gnupg/pihole/pubring.kbx: - - source: salt://{{ slsdotpath }}/files/server/keys/pubring.kbx - - /root/.gnupg/pihole/trustdb.gpg: - - source: salt://{{ slsdotpath }}/files/server/keys/trustdb.gpg +"{{ slsdotpath }}-save-keys": + file.recurse: + - require: + - file: "{{ slsdotpath }}-gnupg-home" + - name: /root/.gnupg/pihole/download/ + - source: salt://{{ slsdotpath }}/files/server/keys/ + - user: user + - group: user + - file_mode: '0600' + - dir_mode: '0700' + - makedirs: True + +"{{ slsdotpath }}-import-keys": + cmd.run: + - require: + - file: "{{ slsdotpath }}-save-keys" + - name: gpg --status-fd=2 --homedir . --import download/*.asc + - cwd: /root/.gnupg/pihole + - runas: root + - success_stderr: IMPORT_OK + +"{{ slsdotpath }}-import-ownertrust": + cmd.run: + - require: + - cmd: "{{ slsdotpath }}-import-keys" + - name: gpg --homedir . --import-ownertrust download/otrust.txt + - cwd: /root/.gnupg/pihole + - runas: root ## The tag is annotated, using verify-commit instead. "{{ slsdotpath }}-git-verify-tag-pihole":