refactor: import armored gpg keys instead of db

This commit is contained in:
Ben Grande 2024-01-03 18:07:49 +01:00
parent 0eecbcffc4
commit 6bb426a057
10 changed files with 88 additions and 32 deletions

View File

@ -40,16 +40,34 @@ include:
- mode: '0700'
- makedirs: True
"{{ slsdotpath }}-keyring-and-trustdb":
file.managed:
"{{ slsdotpath }}-save-keys":
file.recurse:
- require:
- file: "{{ slsdotpath }}-gnupg-home"
- name: /home/user/.gnupg/mirage-firewall/download/
- source: salt://{{ slsdotpath }}/files/client/keys/
- user: user
- group: user
- mode: '0600'
- names:
- /home/user/.gnupg/mirage-firewall/pubring.kbx:
- source: salt://{{ slsdotpath }}/files/client/keys/pubring.kbx
- /home/user/.gnupg/mirage-firewall/trustdb.gpg:
- source: salt://{{ slsdotpath }}/files/client/keys/trustdb.gpg
- file_mode: '0600'
- dir_mode: '0700'
- makedirs: True
"{{ slsdotpath }}-import-keys":
cmd.run:
- require:
- file: "{{ slsdotpath }}-save-keys"
- name: gpg --status-fd=2 --homedir . --import download/*.asc
- cwd: /home/user/.gnupg/mirage-firewall
- runas: user
- success_stderr: IMPORT_OK
"{{ slsdotpath }}-import-ownertrust":
cmd.run:
- require:
- cmd: "{{ slsdotpath }}-import-keys"
- name: gpg --homedir . --import-ownertrust download/otrust.txt
- cwd: /home/user/.gnupg/mirage-firewall
- runas: user
"{{ slsdotpath }}-git-clone":
git.latest:
@ -83,7 +101,7 @@ include:
- mode: '0755'
- makedirs: True
{% if salt['grains.get']('os_family') = 'RedHat' -%}
{% if salt['grains.get']('os_family') == 'RedHat' -%}
"{{ slsdotpath }}-file-security-context":
cmd.run:
- name: chcon -Rt container_file_t /home/user/docker

View File

@ -43,29 +43,48 @@ include:
- target: /home/user/src/qubes-infrastructure-mirrors
- user: user
"{{ slsdotpath }}-gnupg-home-for-builder":
"{{ slsdotpath }}-gnupg-home":
file.directory:
- name: /home/user/.gnupg/qubes-builder
- user: user
- group: user
- mode: '0700'
"{{ slsdotpath }}-keyring-and-trustdb":
file.managed:
"{{ slsdotpath }}-save-keys":
file.recurse:
- require:
- file: "{{ slsdotpath }}-gnupg-home"
- name: /home/user/.gnupg/qubes-builder/download/
- source: salt://{{ slsdotpath }}/files/client/keys/
- user: user
- group: user
- mode: '0600'
- names:
- /home/user/.gnupg/qubes-builder/pubring.kbx:
- source: salt://{{ slsdotpath }}/files/client/keys/pubring.kbx
- /home/user/.gnupg/qubes-builder/trustdb.gpg:
- source: salt://{{ slsdotpath }}/files/client/keys/trustdb.gpg
- file_mode: '0600'
- dir_mode: '0700'
- makedirs: True
"{{ slsdotpath }}-import-keys":
cmd.run:
- require:
- file: "{{ slsdotpath }}-save-keys"
- name: gpg --status-fd=2 --homedir . --import download/*.asc
- cwd: /home/user/.gnupg/qubes-builder
- runas: user
- success_stderr: IMPORT_OK
"{{ slsdotpath }}-import-ownertrust":
cmd.run:
- require:
- cmd: "{{ slsdotpath }}-import-keys"
- name: gpg --homedir . --import-ownertrust download/otrust.txt
- cwd: /home/user/.gnupg/qubes-builder
- runas: user
"{{ slsdotpath }}-git-verify-HEAD-builderv2":
cmd.run:
- require:
- git: "{{ slsdotpath }}-git-clone-builderv2"
- name: GNUPGHOME="$HOME/.gnupg/qubes-builder" git -c gpg.program=gpg2 verify-commit "HEAD^{commit}"
- cmd: "{{ slsdotpath }}-import-ownertrust"
- name: GNUPGHOME="$HOME/.gnupg/qubes-builder" git -c gpg.program=gpg2 verify-tag "$(git describe --tags --abbrev=0)"
- cwd: /home/user/src/qubes-builderv2
- runas: user
@ -73,6 +92,7 @@ include:
cmd.run:
- require:
- git: "{{ slsdotpath }}-git-clone-infrastructure-mirrors"
- cmd: "{{ slsdotpath }}-import-ownertrust"
- name: GNUPGHOME="$HOME/.gnupg/qubes-builder" git -c gpg.program=gpg2 verify-commit "HEAD^{commit}"
- cwd: /home/user/src/qubes-infrastructure-mirrors
- runas: user

View File

@ -5,11 +5,11 @@
## Do not modify this file, create a new policy with with a lower number in the
## file name instead. For example `30-user.policy`.
qubes.Gpg2 * {{ sls_path }} @default ask target=sys-pgp
qubes.Gpg2 * {{ sls_path }} @default ask target=sys-pgp default_target=sys-pgp
qusal.GitInit +qubes-builder {{ sls_path }} @default allow target=sys-git
qusal.GitFetch +qubes-builder {{ sls_path }} @default allow target=sys-git
qusal.GitPush +qubes-builder {{ sls_path }} @default ask target=sys-git
qusal.GitPush +qubes-builder {{ sls_path }} @default ask target=sys-git default_target=sys-pgp
qusal.SshAgent +qubes-builder {{ sls_path }} @default allow target=sys-ssh-agent
qusal.SshAgent +qubes-builder {{ sls_path }} @anyvm deny

View File

@ -78,7 +78,7 @@ include:
- target: /root/pi-hole
- force_fetch: True
"{{ slsdotpath }}-gnupg-home-for-pihole":
"{{ slsdotpath }}-gnupg-home":
file.directory:
- name: /root/.gnupg/pihole
- user: root
@ -86,16 +86,34 @@ include:
- mode: '0700'
- makedirs: True
"{{ slsdotpath }}-keyring-and-trustdb":
file.managed:
- user: root
- group: root
- mode: '0600'
- names:
- /root/.gnupg/pihole/pubring.kbx:
- source: salt://{{ slsdotpath }}/files/server/keys/pubring.kbx
- /root/.gnupg/pihole/trustdb.gpg:
- source: salt://{{ slsdotpath }}/files/server/keys/trustdb.gpg
"{{ slsdotpath }}-save-keys":
file.recurse:
- require:
- file: "{{ slsdotpath }}-gnupg-home"
- name: /root/.gnupg/pihole/download/
- source: salt://{{ slsdotpath }}/files/server/keys/
- user: user
- group: user
- file_mode: '0600'
- dir_mode: '0700'
- makedirs: True
"{{ slsdotpath }}-import-keys":
cmd.run:
- require:
- file: "{{ slsdotpath }}-save-keys"
- name: gpg --status-fd=2 --homedir . --import download/*.asc
- cwd: /root/.gnupg/pihole
- runas: root
- success_stderr: IMPORT_OK
"{{ slsdotpath }}-import-ownertrust":
cmd.run:
- require:
- cmd: "{{ slsdotpath }}-import-keys"
- name: gpg --homedir . --import-ownertrust download/otrust.txt
- cwd: /root/.gnupg/pihole
- runas: root
## The tag is annotated, using verify-commit instead.
"{{ slsdotpath }}-git-verify-tag-pihole":