diff --git a/salt/sys-git/README.md b/salt/sys-git/README.md index 3a2f7d0..91145ea 100644 --- a/salt/sys-git/README.md +++ b/salt/sys-git/README.md @@ -102,6 +102,13 @@ Installation on the client template: sudo qubesctl --skip-dom0 --targets=tpl-dev state.apply sys-git.install-client ``` +To also create one or more appVMs for syncing with remote repositories, uncomment and edit the `syncs` section in `create-sync.sls` and apply: + +```sh +sudo qubesctl state.apply sys-git.create-sync +sudo qubesctl --skip-dom0 state.apply sys-git.install-sync +``` + ## Access control _Default policy_: `any qube` can `ask` via the `@default` target if you allow @@ -216,6 +223,33 @@ Following pushes will be simpler: git push ``` +### Pushing to external remotes + +Neither `sys-git` nor your development environment should require connectivity with remote forges in order to collaborate with remote forges. For e-mail-based patch workflows, you can utilize the `mail` template as an intermediary sender. For other scenarios, we can utilize a `git-sync` VM. This allows us to separate trust zones between development and synchronizing code changes. + +In your development environment, synchronize changes to `sys-git`: + +```sh +git remote add sg qrexec://@default/qubes-doc +git checkout -b patch1 +git push -u sg patch1 +``` + +In the `git-sync` vm: + +```sh +git clone -o sg -b patch1 qrexec://@default/qubes-doc +cd qubes-doc + +git remote add ghost https://github.com/ghost/qubes-doc +git fetch ghost master +# inspect changes + +# optionally, resign commit with pgp if you have split-gpg2 set up +git commit -S --amend + +git push -u ghost patch1 +``` ## Credits * [Unman](https://github.com/unman/shaker/tree/main/git) diff --git a/salt/sys-git/clone.sls b/salt/sys-git/clone.sls index 0554d7f..f9fadf1 100644 --- a/salt/sys-git/clone.sls +++ b/salt/sys-git/clone.sls @@ -6,3 +6,4 @@ SPDX-License-Identifier: AGPL-3.0-or-later {% from 'utils/macros/clone-template.sls' import clone_template -%} {{ clone_template('debian-minimal', sls_path) }} +{{ clone_template('debian-minimal', sls_path ~ '-sync', include_create=False) }} diff --git a/salt/sys-git/create-sync.sls b/salt/sys-git/create-sync.sls new file mode 100644 index 0000000..66bec4d --- /dev/null +++ b/salt/sys-git/create-sync.sls @@ -0,0 +1,58 @@ +{# +SPDX-FileCopyrightText: 2025 The Qusal Community <> + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +{%- from "qvm/template.jinja" import load -%} + +include: + - {{ slsdotpath }}.clone + +{# TODO: make this properly read configuration from pillar instead of inlined in code #} +{# % set syncs = [ + { + 'name': 'example', + 'memory': 500, + 'maxmem': 700, + 'vcpus': 1, + }, +] - #%} + +{% if syncs is defined and syncs %} +{% for vm in syncs -%} +{% set prefix = slsdotpath ~ "-" ~ vm.name %} +{% load_yaml as defaults -%} +name: {{ prefix }}-sync +force: True +require: +- qvm: tpl-{{ slsdotpath }}-sync +present: +- template: tpl-{{ slsdotpath }}-sync +- label: red +prefs: +- template: tpl-{{ slsdotpath }}-sync +- label: red +- audiovm: "" +- vcpus: 1 +- memory: 200 +- maxmem: 350 +- include_in_backups: False +features: +- enable: + - servicevm + # - service.split-gpg2-client +- disable: + - service.cups + - service.cups-browsed + - service.tinyproxy +- set: + - menu-items: "qubes-run-terminal.desktop qubes-start.desktop" +tags: +- add: + - "git-sync" + +{%- endload %} +{{ load(defaults) }} +{% endfor %} +{% endif -%} diff --git a/salt/sys-git/create-sync.top b/salt/sys-git/create-sync.top new file mode 100644 index 0000000..5d8b902 --- /dev/null +++ b/salt/sys-git/create-sync.top @@ -0,0 +1,10 @@ +{# +SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +base: + 'dom0': + - match: nodegroup + - sys-git.create-sync diff --git a/salt/sys-git/create.sls b/salt/sys-git/create.sls index a1325da..6fbc3e2 100644 --- a/salt/sys-git/create.sls +++ b/salt/sys-git/create.sls @@ -50,5 +50,30 @@ features: - require: - qvm: {{ slsdotpath }} +{% load_yaml as defaults -%} +name: {{ slsdotpath }}-sync +force: True +require: +- sls: {{ slsdotpath }}.clone +present: +- template: tpl-{{ slsdotpath }}-sync +- label: gray +prefs: +- template: tpl-{{ slsdotpath }}-sync +- label: gray +- netvm: "" +- audiovm: "" +- vcpus: 1 +- memory: 200 +- maxmem: 300 +features: +- enable: + - servicevm +- disable: + - service.cups + - service.cups-browsed +{%- endload %} +{{ load(defaults) }} + {% from 'utils/macros/policy.sls' import policy_set with context -%} {{ policy_set(sls_path, '80') }} diff --git a/salt/sys-git/init.top b/salt/sys-git/init.top index 82b8018..e9b2c66 100644 --- a/salt/sys-git/init.top +++ b/salt/sys-git/init.top @@ -12,3 +12,5 @@ base: - sys-git.install 'sys-git': - sys-git.configure + 'tpl-sys-git-sync': + - sys-git.install-sync diff --git a/salt/sys-git/install-sync.sls b/salt/sys-git/install-sync.sls new file mode 100644 index 0000000..999923a --- /dev/null +++ b/salt/sys-git/install-sync.sls @@ -0,0 +1,32 @@ +{# +SPDX-FileCopyrightText: 2025 The Qusal Community <> + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +{% if grains['nodename'] != 'dom0' -%} + +include: + - utils.tools.common.update + - {{ slsdotfile }}.install-client + - sys-pgp.install-client + - sys-ssh-agent.install-client + - dotfiles.copy-git + - dotfiles.copy-sh + - dotfiles.copy-x11 + +"{{ slsdotpath }}-installed": + pkg.installed: + - require: + - sls: utils.tools.common.update + - install_recommends: False + - skip_suggestions: True + - setopt: "install_weak_deps=False" + - pkgs: + - qubes-core-agent-networking + - ca-certificates + - curl + - git + - man-db + +{% endif -%} diff --git a/salt/sys-git/install-sync.top b/salt/sys-git/install-sync.top new file mode 100644 index 0000000..5045db9 --- /dev/null +++ b/salt/sys-git/install-sync.top @@ -0,0 +1,9 @@ +{# +SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +base: + 'tpl-sys-git-sync': + - sys-git.install-sync