refactor: prefer systemd sockets over socat

- Document preferred method for socket use depending on use case; - Fix Github web-flow key; - Standardize naming of services; - Use sys-ssh in ansible formula; - Start services conditionally with Qubes Service and evaluated by systemd ConditionPathExists= instead of installing on a per qube basis with rc.local scripts; - Change Qusal services to "qusal-" prefix instead of "qubes-" prefix. Fixes: https://github.com/ben-grande/qusal/issues/80 Fixes: https://github.com/ben-grande/qusal/issues/79
2025-07-25 23:45:39 -04:00 · 2024-06-25 22:16:26 +02:00 · 2024-06-25 22:16:26 +02:00 · 9c280689d8
commit 9c280689d8
parent 3880a35cfa
106 changed files with 606 additions and 567 deletions
--- a/docs/DESIGN.md
+++ b/docs/DESIGN.md
@ -14,8 +14,10 @@ Qusal design document.
    * [Qube naming](#qube-naming)
    * [Qube label](#qube-label)
    * [Qube menu](#qube-menu)
    * [Qube features](#qube-features)
  * [Qube connections](#qube-connections)
  * [Qrexec call and policy](#qrexec-call-and-policy)
  * [Qrexec socket services](#qrexec-socket-services)
 ## Goal
@ -167,6 +169,21 @@ building software is risky, the user trying to open a file manager on a qube
 that doesn't have one is less risky but for the user the behavior is
 unexpected.
 ### Qube features
 Control daemons using Qubes Services. It is much better to control services
 this way as we can declare during the creation of qubes instead of having to
 add a state to run a script during boot to unmask and start a specific
 service. The method below is most of the times combined with `systemd.unit`
 `ConditionPathExists=` to enable the service conditionally.
 - Server's service name must match the syntax: `service-server` (example:
  `rsync-server`, `syncthing-server`);
 - Client's service name must match the syntax: `service-client` (example:
  `ssh-client`;
 - Local program's service name must match the syntax: `service` (example:
  `docker`, `podman`.
 ### Qube connections
 There are several ways a qube can connect to another, either directly with
@ -202,3 +219,40 @@ Xen or with Qrexec. If something is not required, we remove it.
    `qrexec-client-vm`.
 3.  Target qube for client script must default to `@default`, but other targets
    must be allowed via parameters.
 ### Qrexec socket services
 Native Qrexec TCP sockets `/dev/tcp` using `qubes.ConnectTCP` are very handy
 to connect to a port of a qube. The downside of using `qubes.ConnectTCP`
 directly is the user doesn't want or need to know in which port the client
 wants to connect in the server. We will refer to Unix Domains Sockets as
 `UDS`.
 Using `qusal.Service`, such as `qusal.Rsync`, `qusal.Syncthing`, `qusal.Ssh`
 has the following advantages:
 - Usability: User recognizes the call per service name;
 - Extensibility: Allows extending functionality for arguments added in the
  future, no need to migrate user policy from `qubes.ConnectTCP`;
  is not necessary;
 Rules for server RPC service:
 - Symlink `qubes.ConnectTCP` to `qusal.Service` if connecting to a local port;
 - Use `qubes.ConnectTCP` directly when the user won't manage the policy for
  the wanted call, such as `sys-syncthing-browser`, where it happens that only
  this qube will access the admin interface of `sys-syncthing`;
 - Use `socat` to connect to remote hosts or UDS with path defined by the
  service argument.
 Rules for client RPC call:
 - Use `systemd.socket` units, it does not require `socat`, it is not
  restricted to the use of `qubes.ConnectTCP` called by `qvm-connect-tcp`, the
  service can be properly logged and status verified by a service manager
  instead of forking socat to the background with a `rc.local` script and
  finally, can be controlled by Qubes Services to enable or disable the unit
  with `ConditionPathExists=` instead of doing if-else statements in
  `rc.local`;
 - Use of `socat` and `qvm-connect-tcp` is permitted for UDS and for
  instructional use as it is very short.
--- a/qubesbuilder/qusal.yml
+++ b/qubesbuilder/qusal.yml
@ -69,12 +69,10 @@ stages:
 gpg-client: gpg
 sign-key:
-  rpm:
+  rpm: DF3834875B65758713D92E91A475969DE4E371E3
    - DF3834875B65758713D92E91A475969DE4E371E3
-#repository-publish:
+repository-publish:
-#  components: current-testing
+  components: current-testing
 # repository-upload-remote-host:
-#  rpm: user@yum.qubes-os.org:/some/path
+#   rpm: user@yum.example.org:/some/path
 #  deb: user@deb.qubes-os.org:/another/path
--- a/rpm_spec/qusal-ansible.spec
+++ b/rpm_spec/qusal-ansible.spec
@ -30,7 +30,9 @@ BuildArch:      noarch
 Requires:       qubes-mgmt-salt
 Requires:       qubes-mgmt-salt-dom0
 Requires:       qusal-dotfiles
 Requires:       qusal-ssh
 Requires:       qusal-sys-ssh
 Requires:       qusal-utils
@ -73,8 +75,6 @@ if test "$1" = "1"; then
  ## Install
  qubesctl state.apply ansible.create
  qubesctl --skip-dom0 --targets=tpl-ansible state.apply ansible.install
  qubesctl --skip-dom0 --targets=ansible state.apply ansible.configure,zsh.touch-zshrc
  qubesctl --skip-dom0 --targets=ansible-minion state.apply ansible.configure-minion,zsh.touch-zshrc
 elif test "$1" = "2"; then
  ## Upgrade
  true
@ -107,6 +107,9 @@ fi
 %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
 %changelog
 * Tue Jun 25 2024 Ben Grande <ben.grande.b@gmail.com> - 3880a35
 - fix: ansible references legacy zsh state
 * Mon Jun 24 2024 Ben Grande <ben.grande.b@gmail.com> - ab1438f
 - fix: change Launchpad repository to HTTPS domain
--- a/rpm_spec/qusal-docker.spec
+++ b/rpm_spec/qusal-docker.spec
@ -72,7 +72,6 @@ cp -rv salt/%{project} %{buildroot}/srv/salt/qusal/%{name}
 if test "$1" = "1"; then
  ## Install
  qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply docker.install
  qubesctl --skip-dom0 --targets=qubes-builder state.apply docker.configure
 elif test "$1" = "2"; then
  ## Upgrade
  true
--- a/rpm_spec/qusal-sys-net.spec
+++ b/rpm_spec/qusal-sys-net.spec
@ -114,6 +114,9 @@ fi
 %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
 %changelog
 * Tue Jun 25 2024 Ben Grande <ben.grande.b@gmail.com> - 4facf45
 - feat: use native TCP socket with Qrexec
 * Fri Jun 21 2024 Ben Grande <ben.grande.b@gmail.com> - c84dfea
 - fix: generate RPM Specs for Qubes Builder V2
--- a/rpm_spec/qusal-sys-print.spec
+++ b/rpm_spec/qusal-sys-print.spec
@ -111,6 +111,9 @@ fi
 %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
 %changelog
 * Tue Jun 25 2024 Ben Grande <ben.grande.b@gmail.com> - 4facf45
 - feat: use native TCP socket with Qrexec
 * Fri Jun 21 2024 Ben Grande <ben.grande.b@gmail.com> - c84dfea
 - fix: generate RPM Specs for Qubes Builder V2
--- a/rpm_spec/qusal-sys-rsync.spec
+++ b/rpm_spec/qusal-sys-rsync.spec
@ -114,6 +114,9 @@ fi
 %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
 %changelog
 * Tue Jun 25 2024 Ben Grande <ben.grande.b@gmail.com> - 4facf45
 - feat: use native TCP socket with Qrexec
 * Fri Jun 21 2024 Ben Grande <ben.grande.b@gmail.com> - c84dfea
 - fix: generate RPM Specs for Qubes Builder V2
--- a/rpm_spec/qusal-sys-ssh.spec
+++ b/rpm_spec/qusal-sys-ssh.spec
@ -30,7 +30,6 @@ BuildArch:      noarch
 Requires:       qubes-mgmt-salt
 Requires:       qubes-mgmt-salt-dom0
 Requires:       qusal-dev
 Requires:       qusal-sys-ssh-agent
 Requires:       qusal-utils
@ -83,7 +82,6 @@ if test "$1" = "1"; then
  ## Install
  qubesctl state.apply sys-ssh.create
  qubesctl --skip-dom0 --targets=tpl-sys-ssh state.apply sys-ssh.install
  qubesctl --skip-dom0 --targets=sys-ssh state.apply sys-ssh.configure
 elif test "$1" = "2"; then
  ## Upgrade
  true
@ -116,6 +114,9 @@ fi
 %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
 %changelog
 * Tue Jun 25 2024 Ben Grande <ben.grande.b@gmail.com> - 4facf45
 - feat: use native TCP socket with Qrexec
 * Mon Jun 24 2024 Ben Grande <ben.grande.b@gmail.com> - 22e2a2e
 - chore: add copyright to systemd services
--- a/rpm_spec/qusal-sys-syncthing.spec
+++ b/rpm_spec/qusal-sys-syncthing.spec
@ -96,7 +96,6 @@ if test "$1" = "0"; then
  ## Uninstall
  qvm-port-forward -a del -q sys-syncthing -n tcp -p 22000
  qvm-port-forward -a del -q sys-syncthing -n udp -p 22000
  qubesctl --skip-dom0 --targets=sys-syncthing state.apply sys-syncthing.cancel
  qubesctl state.apply sys-syncthing.clean
 elif test "$1" = "1"; then
  ## Upgrade
@ -121,6 +120,9 @@ fi
 %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies.
 %changelog
 * Tue Jun 25 2024 Ben Grande <ben.grande.b@gmail.com> - 4facf45
 - feat: use native TCP socket with Qrexec
 * Mon Jun 24 2024 Ben Grande <ben.grande.b@gmail.com> - 22e2a2e
 - chore: add copyright to systemd services
--- a/salt/ansible/README.md
+++ b/salt/ansible/README.md
@ -26,28 +26,13 @@ sudo qubesctl top.disable ansible
 ```sh
 sudo qubesctl state.apply ansible.create
 sudo qubesctl --skip-dom0 --targets=tpl-ansible state.apply ansible.install
 sudo qubesctl --skip-dom0 --targets=ansible state.apply ansible.configure
 sudo qubesctl --skip-dom0 --targets=ansible-minion state.apply ansible.configure-minion
 ```
 <!-- pkg:end:post-install -->
 ## Usage
-Configure the control node `ansible`:
+From the control node `ansible`, test connection to the managed node
 ```sh
 ssh-keygen -t ed25519 -N "" -f ~/.ssh/id_ansible
 qvm-copy ~/.ssh/id_ansible.pub
 ```
 Select `ansible-minion` as the target qube for the copy operation.
 Configure the minion `ansible-minion`:
 ```sh
 mkdir -m 0700 ~/.ssh
 cat ~/QubesIncoming/ansible/id_ansible.pub >> ~/.ssh/authorized_keys
 ```
 From the control node `ansible`, test connection to the minion
 `ansible-minion`:
 ```sh
-ssh minion
+ssh -p 1840 user@127.0.0.1
 ```
--- a/salt/ansible/configure-minion.sls
+++ b/salt/ansible/configure-minion.sls
@ -1,30 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 {% if grains['nodename'] != 'dom0' -%}
 include:
  - utils.tools.zsh.touch-zshrc
 "{{ slsdotpath }}-minion-start-sshd":
  file.managed:
    - name: /rw/config/rc.local.d/50-ansible.rc
    - source: salt://{{ slsdotpath }}/files/client/rc.local.d/50-ansible.rc
    - mode: '0755'
    - user: root
    - group: root
    - makedirs: True
 "{{ slsdotpath }}-minion-ssh-authorized_keys":
  file.touch:
    - name: /home/user/.ssh/authorized_keys
    - dir_mode: '0700'
    - file_mode: '0600'
    - user: user
    - group: user
    - makedirs: True
 {% endif -%}
--- a/salt/ansible/configure-minion.top
+++ b/salt/ansible/configure-minion.top
@ -1,9 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 base:
  'ansible':
    - ansible.configure-minion
--- a/salt/ansible/configure.sls
+++ b/salt/ansible/configure.sls
@ -1,31 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 {% if grains['nodename'] != 'dom0' -%}
 include:
  - utils.tools.zsh.touch-zshrc
 "{{ slsdotpath }}-autostart-ssh-over-qrexec":
  file.managed:
    - name: /rw/config/rc.local.d/50-ansible.rc
    - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-ansible.rc
    - mode: '0755'
    - user: root
    - group: root
    - makedirs: True
 "{{ slsdotpath }}-ssh-config":
  file.managed:
    - name: /home/user/.ssh/config
    - source: salt://{{ slsdotpath }}/files/server/ssh-config
    - file_mode: '0600'
    - dir_mode: '0700'
    - user: root
    - group: root
    - makedirs: True
 {% endif -%}
--- a/salt/ansible/configure.top
+++ b/salt/ansible/configure.top
@ -1,9 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 base:
  'ansible':
    - ansible.configure
--- a/salt/ansible/create.sls
+++ b/salt/ansible/create.sls
@ -46,6 +46,8 @@ prefs:
 features:
 - set:
  - menu-items: "qubes-run-terminal.desktop qubes-start.desktop"
 - enable:
  - service.ssh-client
 - disable:
  - service.cups
  - service.cups-browsed
@ -73,6 +75,9 @@ prefs:
 features:
 - set:
  - menu-items: "qubes-run-terminal.desktop qubes-start.desktop"
 - enable:
  - servicevm
  - service.ssh-server
 - disable:
  - service.cups
  - service.cups-browsed
--- a/salt/ansible/files/admin/policy/default.policy
+++ b/salt/ansible/files/admin/policy/default.policy
@ -2,5 +2,5 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
-qubes.ConnectTCP  +22  {{ sls_path }}  @default  allow target={{ sls_path }}-minion
+qusal.Ssh  *  {{ sls_path }}  @default  allow target={{ sls_path }}-minion
 ## vim:ft=qrexecpolicy
--- a/salt/ansible/files/client/99-sshd-ansible.conf
+++ b/salt/ansible/files/client/99-sshd-ansible.conf
@ -1,7 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 PubkeyAuthentication yes
 # vim: ft=sshdconfig
--- a/salt/ansible/files/client/rc.local.d/50-ansible.rc
+++ b/salt/ansible/files/client/rc.local.d/50-ansible.rc
@ -1,8 +0,0 @@
 #!/bin/sh
 # vim: ft=sh
 # SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 systemctl unmask ssh
 systemctl --no-block start ssh
--- a/salt/ansible/files/server/99-ssh-ansible.conf
+++ b/salt/ansible/files/server/99-ssh-ansible.conf
@ -1,12 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 Host minion ansible-minion
        Hostname 127.0.0.1
        Port 22000
        User user
        IdentityFile ~/.ssh/id_ansible.pub
        PreferredAuthentications publickey
 # vim: ft=sshconfig
--- a/salt/ansible/files/server/rc.local.d/50-ansible.rc
+++ b/salt/ansible/files/server/rc.local.d/50-ansible.rc
@ -1,7 +0,0 @@
 #!/bin/sh
 # vim: ft=sh
 # SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 qvm-connect-tcp 22000:@default:22
--- a/salt/ansible/init.top
+++ b/salt/ansible/init.top
@ -10,7 +10,3 @@ base:
    - ansible.create
  'tpl-ansible':
    - ansible.install
  'ansible':
    - ansible.configure
  'ansible-minion':
    - ansible.configure-minion
--- a/salt/ansible/install.sls
+++ b/salt/ansible/install.sls
@ -9,7 +9,10 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 include:
  - .install-repo
  - utils.tools.common.update
-  - utils.tools.zsh
+  - dotfiles.copy-sh
  - dotfiles.copy-x11
  - sys-ssh.install
  - sys-ssh.install-client
  - ssh.install
 "{{ slsdotpath }}-installed":
@ -26,7 +29,6 @@ include:
      - ansible-lint
      - python3-argcomplete
      - python3-jmespath
      - openssh-server
      - qubes-core-agent-passwordless-root
      - bash-completion
      - man-db
@ -48,20 +50,4 @@ include:
    - skip_suggestions: True
    - pkgs: {{ pkg.pkg|sequence|yaml }}
 "{{ slsdotpath }}-ssh-config":
  file.managed:
    - name: /etc/ssh/ssh_config.d/99-ssh-ansible.conf
    - source: salt://{{ slsdotpath }}/files/server/99-ssh-ansible.conf
    - mode: '0644'
    - user: root
    - group: root
 "{{ slsdotpath }}-sshd-config":
  file.managed:
    - name: /etc/ssh/sshd_config.d/99-sshd-ansible.conf
    - source: salt://{{ slsdotpath }}/files/client/99-sshd-ansible.conf
    - mode: '0644'
    - user: root
    - group: root
 {% endif -%}
--- a/salt/docker/README.md
+++ b/salt/docker/README.md
@ -14,10 +14,12 @@ Setup docker in Qubes OS with the Docker repository.
 ## Installation
 TODO: remove installation steps or provide a docker qube.
 - Top
 ```sh
 sudo qubesctl top.enable docker
-sudo qubesctl --targets=tpl-qubes-builder,qubes-builder state.apply
+sudo qubesctl --targets=tpl-qubes-builder state.apply
 sudo qubesctl top.disable docker
 ```
@ -25,10 +27,15 @@ sudo qubesctl top.disable docker
 <!-- pkg:begin:post-install -->
 ```sh
 sudo qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply docker.install
 sudo qubesctl --skip-dom0 --targets=qubes-builder state.apply docker.configure
 ```
 <!-- pkg:end:post-install -->
 Enable the Docker and/or Podman service for qubes that will use it:
 ```sh
 qvm-features QUBE service.docker 1
 qvm-features QUBE service.podman 1
 ```
 ## Usage
 The only qubes specific configuration to docker is changing its [root
--- a/salt/docker/configure.sls
+++ b/salt/docker/configure.sls
@ -1,18 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 {% if grains['nodename'] != 'dom0' -%}
 "{{ slsdotpath }}-rc.local":
  file.managed:
    - name: /rw/config/rc.local.d/50-docker.rc
    - source: salt://{{ slsdotpath }}/files/client/rc.local.d/50-docker.rc
    - mode: '0755'
    - user: root
    - group: root
    - makedirs: True
 {% endif -%}
--- a/salt/docker/configure.top
+++ b/salt/docker/configure.top
@ -1,9 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 base:
  'qubes-builder':
    - docker.configure
--- a/salt/docker/files/client/rc.local.d/50-docker.rc
+++ b/salt/docker/files/client/rc.local.d/50-docker.rc
@ -1,9 +0,0 @@
 #!/bin/sh
 # vim: ft=sh
 # SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 usermod -aG docker user
 systemctl unmask docker
 systemctl --no-block restart docker
--- a/salt/docker/files/client/systemd/docker.service.d/50_qusal.conf
+++ b/salt/docker/files/client/systemd/docker.service.d/50_qusal.conf
@ -0,0 +1,8 @@
 # SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 # vim: ft=systemd
 [Unit]
 ConditionPathExists=/var/run/qubes-service/docker
 After=qubes-sysinit.service
 Before=qubes-qrexec-agent.service
--- a/salt/docker/files/client/systemd/podman.service.d/50_qusal.conf
+++ b/salt/docker/files/client/systemd/podman.service.d/50_qusal.conf
@ -0,0 +1,8 @@
 # SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 # vim: ft=systemd
 [Unit]
 ConditionPathExists=/var/run/qubes-service/podman
 After=qubes-sysinit.service
 Before=qubes-qrexec-agent.service
--- a/salt/docker/init.top
+++ b/salt/docker/init.top
@ -7,5 +7,3 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 base:
  'tpl-qubes-builder':
    - docker.install
  'qubes-builder':
    - docker.configure
--- a/salt/docker/install.sls
+++ b/salt/docker/install.sls
@ -52,4 +52,22 @@ include:
    - addusers:
      - user
 "{{ slsdotpath }}-systemd":
  file.recurse:
    - name: /usr/lib/systemd/system/
    - source: salt://{{ slsdotpath }}/files/client/systemd/
    - dir_mode: '0755'
    - file_mode: '0644'
    - user: root
    - group: root
    - makedirs: True
 "{{ slsdotpath }}-unmask-docker":
  service.unmasked:
    - name: docker
 "{{ slsdotpath }}-enable-docker":
  service.enabled:
    - name: docker
 {% endif -%}
--- a/salt/electrum/README.md
+++ b/salt/electrum/README.md
@ -88,7 +88,7 @@ socat TCP4-LISTEN:50002,reuseaddr,fork,bind=127.0.0.1 TCP:192.168.2.10:50002 &
 In the qube `electrum`, add the `qvm-connect-tcp` command to the file
 `/rw/config/rc.local`:
 ```sh
-qvm-connnect-tcp ::50002
+qvm-connect-tcp ::50002
 ```
 In the qube `electrum`, run as the user `user` the electrum configuration
--- a/salt/mirage-builder/configure.sls
+++ b/salt/mirage-builder/configure.sls
@ -13,7 +13,6 @@ include:
  - dotfiles.copy-sh
  - dotfiles.copy-ssh
  - dotfiles.copy-git
  - docker.configure
 "{{ slsdotpath }}-opam-completion-and-hooks":
  file.managed:
--- a/salt/mirage-builder/create.sls
+++ b/salt/mirage-builder/create.sls
@ -37,6 +37,9 @@ prefs:
 - autostart: False
 - include_in_backups: True
 features:
 - enable:
  - service.docker
  - service.podman
 - disable:
  - service.cups
  - service.cups-browsed
--- a/salt/mirage-builder/files/client/keys/5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23.asc
+++ b/salt/mirage-builder/files/client/keys/5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23.asc
@ -6,28 +6,36 @@ SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ
 7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa
 buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v
 yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAHNNUdpdEh1YiAod2ViLWZs
-b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBiBBMBCAAW
+b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBoBBMBCAAc
-BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEIACATWFmi2oxlBh3wAsySNCNV4IPf
+BQJZlGhBCRBK7hj4Ov3rIwIbAwUJDBJ3/wIZAQAA0O4IAJd0k8M+urETyMvTqNTj
-DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6
+/U6nbqyOdKE4V93uUj5G7sNTfno7wod/Qjj6Zv5KodvA93HmEdQqsmVq5YJ5KGiw
-9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws
+cmGCpd/GqJRPaYSY0hSUSBqYHiHLusCJkPBpQTBhcEMtfVCB2J6fVeoX2DV0K1xf
-+8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5
+CGblrSVB0viAxUMnmL5C55RuvbYZsTu8szXhkvIR96CtWbJ8QGaEf1/KSpWz8ept
-4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O
+Y/omf3UPfvdOjnsxc8jVEqPNaR9xC6Q6t53rBa/XgMY6IYyesnyYnc5O6JuexUFa
-j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48=
+VjykRFtAiYfDaMARpXOmgMm0lhoBRKb/uMUaN3CSYTmE4pZweJcUi7eWgmoQljX2
-=HXDP
+ut6ZAg0EZabFdgEQALI37i+IVAzpBCgqvQDZbSsZ0yhtMnA5myjZA+l7BvIGy4ve
-----END PGP PUBLIC KEY BLOCK----------BEGIN PGP PUBLIC KEY BLOCK-----
+s1bk6YetbBcCE8o2pQjI7N2rwyhLGhNO6ouSyhqGLEQv9fafKE4HFH0aRjP+gj1H
-
+edhwtFoVChImhV863rWimQtTNtYB6GluBPwQqWfwmwQ2rT7ScOVZCLSHZD2gaaqW
-xsBNBFmUaEEBCACzXTDt6ZnyaVtueZASBzgnAmK13q9Urgch+sKYeIhdymjuMQta
+BXOyTCZVnwt7K/gyDuE3qzDJnuahl+SSkPn5TtnZdW6sLORJJ+DjNvaUxEsmizZ4
-x15OklctmrZtqre5kwPUosG3/B2/ikuPYElcHgGPL4uL5Em6S5C/oozfkYzhwRrT
+IBzvj0QKxfS3s4F+0X5iqCMheLFeybZGtSq9Tjs6Q61l4CG8Bh6dsLemv0WFrk3G
-SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ
+gFQRr7XUwr1bo5xGHC/FUJSsxRHoVNJnIL/9WldNO2tGU6qlTnAYxs/fOmf2B6o5
-7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa
+cKXysXv7WAA8b+j5AVBMGxUSu7CLglaiCJC5DI7AAiUV7/t29rFZkam//Jbb4veC
-buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v
+4vvFocoVUaxrKGWK1BDldr4/WJKApJcPJF4Jtai1+oB6ak/JIjbkseHdJxcjo2B0
-yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAHNNUdpdEh1YiAod2ViLWZs
+dKtIFoWiPAB+DFs9MRDpp0iwocJCh+ucus1rdQ54YMaI44rRphXeOIQMYCi5q2Q1
-b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBiBBMBCAAW
+/arzkSiyPV/2VoKoAfdgskPt1xKd7WIKErmpFMHIy8jJ5IPQ1s2dUwU4alfJLJa0
-BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEIACATWFmi2oxlBh3wAsySNCNV4IPf
+pvaV2m7wBYFAmwmz0WZgFxYAYEDamn4jFoKfqsEgcixRUVE3w5VkqwSwGRbLABEB
-DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6
+AAG0G0dpdEh1YiA8bm9yZXBseUBnaXRodWIuY29tPokCTgQTAQoAOBYhBJaEeaGv
-9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws
+SfjfRpWa7VpDu67lSGUBQJlpsV2AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
-+8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5
+AAoJELVpDu67lSGUgy4QAKW9XAL416iKrQB2LElmxqAoenHVCswlau0xGLh5dVNN
-4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O
+p5f4/W6eEL8CZI7hfF3e5Gh6Me99aHgXSCK1QnxcqCJ6Oea4ZyrsNu3k6g7Um5ca
-j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48=
+VbYFD4yIahhXDYHSw6FYM2sgFY479YvgvKRwacC2tFfChLRbHgwLJ3O1dBjmVycJ
-=HXDP
+Zpbyu+7taZ26g6KQfgcj3uuo3nz3p1ziIEpLHwtl/7joNEIIP/lJ8AKmUHPiGznN
 6fxMvzN37PGMWtdvOi1rSNIMQYr1YY7jPnlLbFJwLrO/q/cGPU5HwGzlqh0a2ZqY
 dnuwT3DREmgJ83H71xH+sTzZKs5oGlVTu6st7iWDvNpo2GoN01XzKa5caYglqsOC
 uZ6IHlsdL50sXMtSROCi3hEWU9r1sWIm4k3pNz20y7lElD2X/MqbEMcgpawCV7lH
 rm7MSrTgu6BNAF0SisbF9AKwXaBr2dwpMMyIBOFZO9mk4/c0n9q2FlGY4GkbgH2J
 HqulFTwX/4yiQbh8gzCe+06FZAWITN1OQntTkkCQ+1MCZPf+bOfC08RTsOsVZIYB
 2qAgw6XE0IF4a+PAtHSoYftwH2ocMY2gMuSNpQWm7m0+/j+K+RBoeUcnGNPQgszq
 N60IDMqkqHjyubrm2aslfopWmPSvaQoyxwV/uztdo+UI0IV2z9gD7Sm49vMkpYp8
 =uMz0
 -----END PGP PUBLIC KEY BLOCK-----
--- a/salt/qubes-builder/configure.sls
+++ b/salt/qubes-builder/configure.sls
@ -13,7 +13,6 @@ include:
  - dotfiles.copy-sh
  - dotfiles.copy-ssh
  - dotfiles.copy-x11
  - docker.configure
 "{{ slsdotpath }}-makedir-src":
  file.directory:
--- a/salt/qubes-builder/create.sls
+++ b/salt/qubes-builder/create.sls
@ -61,11 +61,13 @@ prefs:
 - label: gray
 - audiovm: ""
 - memory: 400
- maxmem: 800
+- maxmem: 1000
 - vcpus: 1
 - default_dispvm: dvm-{{ slsdotpath }}
 features:
 - enable:
  - service.docker
  - service.podman
  - service.split-gpg2-client
 - disable:
  - service.cups
@ -113,7 +115,7 @@ features:
 "{{ slsdotpath }}-shutdown-template":
  qvm.shutdown:
    - require:
-      - cmd: "{{ slsdotpath }}-install-salt-deps":
+      - cmd: "{{ slsdotpath }}-install-salt-deps"
    - name: tpl-{{ slsdotpath }}
    - flags:
      - force
--- a/salt/qubes-builder/install-qubes-executor.sls
+++ b/salt/qubes-builder/install-qubes-executor.sls
@ -18,25 +18,26 @@ include:
    - pkgs:
      - qubes-core-agent-networking
      - qubes-core-agent-passwordless-root
      - dnf-plugins-core
      - createrepo_c
      - debootstrap
      - devscripts
      - dnf-plugins-core
      - dpkg-dev
      - git
      - mock
      - pbuilder
      - which
      - perl-Digest-MD5
      - perl-Digest-SHA
      - pykickstart
      - python3-debian
      - python3-pyyaml
      - python3-sh
      - reprepro
      - rpm-build
      - rpmdevtools
      - wget2
      - python3-debian
      - reprepro
      - systemd-udev
      - wget2
      - which
 "{{ slsdotpath }}-qubes-executor-add-user-to-mock-group":
  group.present:
--- a/salt/qubes-builder/install.sls
+++ b/salt/qubes-builder/install.sls
@ -30,26 +30,24 @@ include:
      ## Minimal template dependencies
      - qubes-core-agent-networking
      - qubes-core-agent-passwordless-root
      ## Undocumented Infraestructure Mirrors dependencies
      - python3-lxml
      ## Undocumented Builder dependencies
      - python3-click
      ## Dependencies: https://github.com/QubesOS/qubes-builderv2#dependencies
      - asciidoc
      - createrepo_c
      - devscripts
      - m4
      - mktorrent
      - mock
      - openssl
      - pacman
      - podman
      - python3-click
      - python3-docker
      - python3-jinja2-cli
      - python3-lxml
      - python3-packaging
      - python3-pathspec
      - python3-podman
      - python3-pyyaml
      - rb_libtorrent-examples
      - reprepro
      - rpm
      - rpm-sign
--- a/salt/sys-bitcoin/README.md
+++ b/salt/sys-bitcoin/README.md
@ -81,7 +81,7 @@ sudo qubesctl --skip-dom0 --targets=sys-bitcoin state.apply sys-bitcoin.configur
 Add the tag `bitcoin-client` to the client and install in the client template:
 ```sh
-sudo qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-bitcoin.install-client
+sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-bitcoin.install-client
 ```
@ -212,11 +212,11 @@ In the Electrum Server qubes or any Bitcoin Client, `sys-electrumx`,
 `/rw/config/rc.local`:
 ```sh
 ## RPC
-qvm-connnect-tcp ::8332
+qvm-connect-tcp ::8332
 ## P2P (ElectRS)
-qvm-connnect-tcp ::8333
+qvm-connect-tcp ::8333
 ## ZMQPubHashBlock (Fulcrum)
-qvm-connnect-tcp ::8433
+qvm-connect-tcp ::8433
 ```
 Still in the Electrum Server qube, you will have to add the RPC authentication
--- a/salt/sys-cacher/README.md
+++ b/salt/sys-cacher/README.md
@ -89,7 +89,7 @@ The report page is available from `sys-cacher` and `sys-cacher-browser` at
 security wise, every client has administrative access to the cacher qube.  You
 should add the following to the end of `sys-cacher` rc.local:
 ```sh
-echo "AdminAuth: username:password" | tee /etc/qubes-apt-cacher-ng/zzz_security.conf
+echo "AdminAuth: username:password" | tee /etc/qusal-apt-cacher-ng/zzz_security.conf
 ```
 Where username and password are HTTP Auth strings.
--- a/salt/sys-cacher/configure-browser.sls
+++ b/salt/sys-cacher/configure-browser.sls
@ -18,6 +18,16 @@ include:
    - group: root
    - makedirs: True
 "{{ slsdotpath }}-browser-systemd-services":
  file.recurse:
    - name: /rw/config/systemd/
    - source: salt://{{ slsdotpath }}/files/browser/systemd/
    - dir_mode: '0755'
    - file_mode: '0644'
    - user: root
    - group: root
    - makedirs: True
 "{{ slsdotpath }}-browser-desktop-application":
  file.managed:
    - name: /home/user/.local/share/applications/cacher-browser.desktop
--- a/salt/sys-cacher/create.sls
+++ b/salt/sys-cacher/create.sls
@ -57,7 +57,7 @@ features:
 - enable:
  - servicevm
  - service.crond
-  - service.apt-cacher-ng
+  - service.acng-server
 - disable:
  - service.cups
  - service.cups-browsed
@ -87,6 +87,8 @@ prefs:
 - autostart: False
 - include_in_backups: False
 features:
 - enable:
  - service.acng-browser
 - disable:
  - service.cups
  - service.cups-browsed
--- a/salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc
+++ b/salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc
@ -1,7 +1,9 @@
 #!/bin/sh
 # vim: ft=sh
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
-qvm-connect-tcp 8082:@default:8082
+cp -r /rw/config/systemd/qusal-acng-browser-forwarder* /usr/lib/systemd/system/
 systemctl daemon-reload
 systemctl --no-block restart qusal-acng-browser-forwarder.socket
--- a/salt/sys-cacher/files/browser/systemd/qusal-acng-browser-forwarder.socket
+++ b/salt/sys-cacher/files/browser/systemd/qusal-acng-browser-forwarder.socket
@ -0,0 +1,17 @@
 # SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 [Unit]
 Description=Forward ACNG Admin Web Panel connection over Qrexec
 After=qubes-sysinit.service
 Before=qubes-qrexec-agent.service
 ConditionPathExists=/var/run/qubes-service/acng-browser
 [Socket]
 ListenStream=127.0.0.1:8082
 BindToDevice=lo
 Accept=true
 [Install]
 WantedBy=multi-user.target
--- a/salt/sys-cacher/files/browser/systemd/qusal-acng-browser-forwarder@.service
+++ b/salt/sys-cacher/files/browser/systemd/qusal-acng-browser-forwarder@.service
@ -0,0 +1,11 @@
 # SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 [Unit]
 Description=Forward ACNG Admin Web Panel connection over Qrexec
 [Service]
 ExecStart=/usr/bin/qrexec-client-vm @default qubes.ConnectTCP+8082
 StandardInput=socket
 StandardOutput=inherit
--- a/salt/sys-cacher/files/client/systemd/qusal-apt-cacher-ng-repo.service
+++ b/salt/sys-cacher/files/client/systemd/qusal-apt-cacher-ng-repo.service
--- a/salt/sys-cacher/files/server/systemd/apt-cacher-ng.service.d/50_qusal.conf
+++ b/salt/sys-cacher/files/server/systemd/apt-cacher-ng.service.d/50_qusal.conf
@ -3,11 +3,11 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 # vim: ft=systemd
 [Unit]
-ConditionPathExists=/var/run/qubes-service/apt-cacher-ng
+ConditionPathExists=/var/run/qubes-service/acng-server
 After=qubes-sysinit.service
 Before=qubes-qrexec-agent.service
 [Service]
 ExecStartPre=chown -R apt-cacher-ng:apt-cacher-ng /var/log/apt-cacher-ng /var/cache/apt-cacher-ng
 ExecStart=
-ExecStart=/usr/sbin/apt-cacher-ng -c "/etc/qubes-apt-cacher-ng" ForeGround=1
+ExecStart=/usr/sbin/apt-cacher-ng -c "/etc/qusal-apt-cacher-ng" ForeGround=1
--- a/salt/sys-cacher/install-client.sls
+++ b/salt/sys-cacher/install-client.sls
@ -23,13 +23,13 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 "{{ slsdotpath }}-install-client-systemd":
  file.managed:
-    - name: /usr/lib/systemd/system/qubes-apt-cacher-ng-repo.service
+    - name: /usr/lib/systemd/system/qusal-apt-cacher-ng-repo.service
-    - source: salt://{{ slsdotpath }}/files/client/systemd/qubes-apt-cacher-ng-repo.service
+    - source: salt://{{ slsdotpath }}/files/client/systemd/qusal-apt-cacher-ng-repo.service
    - mode: "0644"
    - group: root
    - user: root
    - makedirs: True
-"{{ slsdotpath }}-install-client-systemd-start-qubes-apt-cacher-ng-repo.service":
+"{{ slsdotpath }}-install-client-systemd-start-qusal-apt-cacher-ng-repo.service":
  service.enabled:
-    - name: qubes-apt-cacher-ng-repo.service
+    - name: qusal-apt-cacher-ng-repo.service
--- a/salt/sys-cacher/install.sls
+++ b/salt/sys-cacher/install.sls
@ -37,25 +37,14 @@ include:
  service.enabled:
    - name: apt-cacher-ng
 ## TODO: legacy: remove after some weeks for user to have time to upgrade
 "{{ slsdotpath }}-mask-qubes-apt-cacher-ng":
  service.masked:
    - name: qubes-apt-cacher-ng
    - runtime: False
 ## TODO: legacy: remove after some weeks for user to have time to upgrade
 "{{ slsdotpath }}-disable-qubes-apt-cacher-ng":
  service.disabled:
    - name: qubes-apt-cacher-ng
 "{{ slsdotpath }}-create-qubes-cacher-config-dir":
  file.directory:
-    - name: /etc/qubes-apt-cacher-ng
+    - name: /etc/qusal-apt-cacher-ng
    - mode: '0755'
 "{{ slsdotpath }}-copy-package-config-to-qubes-cacher-config":
  cmd.run:
-    - name: cp -rp /etc/apt-cacher-ng/* /etc/qubes-apt-cacher-ng
+    - name: cp -rp /etc/apt-cacher-ng/* /etc/qusal-apt-cacher-ng
 "{{ slsdotpath }}-systemd-service":
  file.managed:
@ -68,12 +57,12 @@ include:
 "{{ slsdotpath }}-update-deb_mirrors.gz":
  cmd.run:
-    - name: cp /usr/lib/apt-cacher-ng/deb_mirrors.gz /etc/qubes-apt-cacher-ng/deb_mirrors.gz
+    - name: cp /usr/lib/apt-cacher-ng/deb_mirrors.gz /etc/qusal-apt-cacher-ng/deb_mirrors.gz
    - runas: root
 "{{ slsdotpath }}-update-conf":
  file.recurse:
-    - name: /etc/qubes-apt-cacher-ng/
+    - name: /etc/qusal-apt-cacher-ng/
    - source: salt://{{ slsdotpath }}/files/server/conf/
    - file_mode: "0644"
    - group: root
--- a/salt/sys-cacher/uninstall-client.sls
+++ b/salt/sys-cacher/uninstall-client.sls
@ -27,4 +27,4 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 "{{ slsdotpath }}-uninstall-client-systemd-service":
  file.absent:
-    - name: /usr/lib/systemd/system/qubes-apt-cacher-ng-repo.service
+    - name: /usr/lib/systemd/system/qusal-apt-cacher-ng-repo.service
--- a/salt/sys-git/files/server/rpc/qusal.GitInit
+++ b/salt/sys-git/files/server/rpc/qusal.GitInit
@ -15,6 +15,7 @@ if ! command -v git >/dev/null; then
  die "Command not found: git"
 fi
 ## TODO: subdirectory? dir+repo
 untrusted_repo="${QREXEC_SERVICE_ARGUMENT}"
 if test -z "${untrusted_repo}"; then
--- a/salt/sys-pihole/configure-browser.sls
+++ b/salt/sys-pihole/configure-browser.sls
@ -7,7 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 {% if grains['nodename'] != 'dom0' %}
-"{{ slsdotpath }}-browser-auto-tcp-connect":
+"{{ slsdotpath }}-browser-rc.local":
  file.managed:
    - name: /rw/config/rc.local.d/50-sys-pihole.rc
    - source: salt://{{ slsdotpath }}/files/browser/rc.local.d/50-sys-pihole.rc
@ -16,6 +16,16 @@ SPDX-License-Identifier: AGPL-3.0-or-later
    - group: root
    - makedirs: True
 "{{ slsdotpath }}-browser-systemd-services":
  file.recurse:
    - name: /rw/config/systemd/
    - source: salt://{{ slsdotpath }}/files/browser/systemd/
    - dir_mode: '0755'
    - file_mode: '0644'
    - user: root
    - group: root
    - makedirs: True
 "{{ slsdotpath }}-browser-desktop-application":
  file.managed:
    - name: /home/user/.local/share/applications/pihole-browser.desktop
--- a/salt/sys-pihole/create.sls
+++ b/salt/sys-pihole/create.sls
@ -78,6 +78,8 @@ prefs:
 - maxmem: 600
 - include_in_backups: False
 features:
 - enable:
  - service.http-client
 - disable:
  - service.cups
  - service.cups-browsed
--- a/salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc
+++ b/salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc
@ -1,7 +1,9 @@
 #!/bin/sh
 # vim: ft=sh
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
-qvm-connect-tcp 80:@default:80
+cp -r /rw/config/systemd/qubes-http-forwarder* /usr/lib/systemd/system/
 systemctl daemon-reload
 systemctl --no-block restart qubes-http-forwarder.socket
--- a/salt/sys-pihole/files/browser/systemd/qubes-http-forwarder.socket
+++ b/salt/sys-pihole/files/browser/systemd/qubes-http-forwarder.socket
@ -3,12 +3,13 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 [Unit]
-Description=Forward connection to SSH over Qrexec
+Description=Forward HTTP connection over Qrexec
 After=qubes-sysinit.service
-ConditionPathExists=/var/run/qubes-service/ssh-setup
+Before=qubes-qrexec-agent.service
 ConditionPathExists=/var/run/qubes-service/http-client
 [Socket]
-ListenStream=127.0.0.1:840
+ListenStream=127.0.0.1:80
 BindToDevice=lo
 Accept=true
--- a/salt/sys-pihole/files/browser/systemd/qubes-http-forwarder@.service
+++ b/salt/sys-pihole/files/browser/systemd/qubes-http-forwarder@.service
@ -0,0 +1,11 @@
 # SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 [Unit]
 Description=Forward HTTP connection over Qrexec
 [Service]
 ExecStart=/usr/bin/qrexec-client-vm @default qubes.ConnectTCP+80
 StandardInput=socket
 StandardOutput=inherit
--- a/salt/sys-pihole/files/server/keys/5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23.asc
+++ b/salt/sys-pihole/files/server/keys/5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23.asc
@ -6,28 +6,36 @@ SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ
 7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa
 buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v
 yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAHNNUdpdEh1YiAod2ViLWZs
-b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBiBBMBCAAW
+b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBoBBMBCAAc
-BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEIACATWFmi2oxlBh3wAsySNCNV4IPf
+BQJZlGhBCRBK7hj4Ov3rIwIbAwUJDBJ3/wIZAQAA0O4IAJd0k8M+urETyMvTqNTj
-DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6
+/U6nbqyOdKE4V93uUj5G7sNTfno7wod/Qjj6Zv5KodvA93HmEdQqsmVq5YJ5KGiw
-9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws
+cmGCpd/GqJRPaYSY0hSUSBqYHiHLusCJkPBpQTBhcEMtfVCB2J6fVeoX2DV0K1xf
-+8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5
+CGblrSVB0viAxUMnmL5C55RuvbYZsTu8szXhkvIR96CtWbJ8QGaEf1/KSpWz8ept
-4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O
+Y/omf3UPfvdOjnsxc8jVEqPNaR9xC6Q6t53rBa/XgMY6IYyesnyYnc5O6JuexUFa
-j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48=
+VjykRFtAiYfDaMARpXOmgMm0lhoBRKb/uMUaN3CSYTmE4pZweJcUi7eWgmoQljX2
-=HXDP
+ut6ZAg0EZabFdgEQALI37i+IVAzpBCgqvQDZbSsZ0yhtMnA5myjZA+l7BvIGy4ve
-----END PGP PUBLIC KEY BLOCK----------BEGIN PGP PUBLIC KEY BLOCK-----
+s1bk6YetbBcCE8o2pQjI7N2rwyhLGhNO6ouSyhqGLEQv9fafKE4HFH0aRjP+gj1H
-
+edhwtFoVChImhV863rWimQtTNtYB6GluBPwQqWfwmwQ2rT7ScOVZCLSHZD2gaaqW
-xsBNBFmUaEEBCACzXTDt6ZnyaVtueZASBzgnAmK13q9Urgch+sKYeIhdymjuMQta
+BXOyTCZVnwt7K/gyDuE3qzDJnuahl+SSkPn5TtnZdW6sLORJJ+DjNvaUxEsmizZ4
-x15OklctmrZtqre5kwPUosG3/B2/ikuPYElcHgGPL4uL5Em6S5C/oozfkYzhwRrT
+IBzvj0QKxfS3s4F+0X5iqCMheLFeybZGtSq9Tjs6Q61l4CG8Bh6dsLemv0WFrk3G
-SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ
+gFQRr7XUwr1bo5xGHC/FUJSsxRHoVNJnIL/9WldNO2tGU6qlTnAYxs/fOmf2B6o5
-7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa
+cKXysXv7WAA8b+j5AVBMGxUSu7CLglaiCJC5DI7AAiUV7/t29rFZkam//Jbb4veC
-buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v
+4vvFocoVUaxrKGWK1BDldr4/WJKApJcPJF4Jtai1+oB6ak/JIjbkseHdJxcjo2B0
-yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAHNNUdpdEh1YiAod2ViLWZs
+dKtIFoWiPAB+DFs9MRDpp0iwocJCh+ucus1rdQ54YMaI44rRphXeOIQMYCi5q2Q1
-b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBiBBMBCAAW
+/arzkSiyPV/2VoKoAfdgskPt1xKd7WIKErmpFMHIy8jJ5IPQ1s2dUwU4alfJLJa0
-BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEIACATWFmi2oxlBh3wAsySNCNV4IPf
+pvaV2m7wBYFAmwmz0WZgFxYAYEDamn4jFoKfqsEgcixRUVE3w5VkqwSwGRbLABEB
-DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6
+AAG0G0dpdEh1YiA8bm9yZXBseUBnaXRodWIuY29tPokCTgQTAQoAOBYhBJaEeaGv
-9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws
+SfjfRpWa7VpDu67lSGUBQJlpsV2AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
-+8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5
+AAoJELVpDu67lSGUgy4QAKW9XAL416iKrQB2LElmxqAoenHVCswlau0xGLh5dVNN
-4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O
+p5f4/W6eEL8CZI7hfF3e5Gh6Me99aHgXSCK1QnxcqCJ6Oea4ZyrsNu3k6g7Um5ca
-j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48=
+VbYFD4yIahhXDYHSw6FYM2sgFY479YvgvKRwacC2tFfChLRbHgwLJ3O1dBjmVycJ
-=HXDP
+Zpbyu+7taZ26g6KQfgcj3uuo3nz3p1ziIEpLHwtl/7joNEIIP/lJ8AKmUHPiGznN
 6fxMvzN37PGMWtdvOi1rSNIMQYr1YY7jPnlLbFJwLrO/q/cGPU5HwGzlqh0a2ZqY
 dnuwT3DREmgJ83H71xH+sTzZKs5oGlVTu6st7iWDvNpo2GoN01XzKa5caYglqsOC
 uZ6IHlsdL50sXMtSROCi3hEWU9r1sWIm4k3pNz20y7lElD2X/MqbEMcgpawCV7lH
 rm7MSrTgu6BNAF0SisbF9AKwXaBr2dwpMMyIBOFZO9mk4/c0n9q2FlGY4GkbgH2J
 HqulFTwX/4yiQbh8gzCe+06FZAWITN1OQntTkkCQ+1MCZPf+bOfC08RTsOsVZIYB
 2qAgw6XE0IF4a+PAtHSoYftwH2ocMY2gMuSNpQWm7m0+/j+K+RBoeUcnGNPQgszq
 N60IDMqkqHjyubrm2aslfopWmPSvaQoyxwV/uztdo+UI0IV2z9gD7Sm49vMkpYp8
 =uMz0
 -----END PGP PUBLIC KEY BLOCK-----
--- a/salt/sys-print/README.md
+++ b/salt/sys-print/README.md
@ -64,12 +64,12 @@ sudo qubesctl --skip-dom0 --targets=tpl-sys-print state.apply sys-print.install-
 On the client template:
 ```sh
-sudo qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-print.install-client
+sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-print.install-client
 ```
 The client qube requires the split Print service to be enabled:
 ```sh
-qvm-features QUBE service.print-setup 1
+qvm-features QUBE service.print-client 1
 ```
 ## Access Control
--- a/salt/sys-print/files/client/systemd/qusal-print-forwarder.service
+++ b/salt/sys-print/files/client/systemd/qusal-print-forwarder.service
@ -1,25 +0,0 @@
 # SPDX-FileCopyrightText: 2023 unman <unman@thirdeyesecurity.org>
 # SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 [Unit]
 Description=Print over Qrexec
 After=qubes-sysinit.service
 After=qubes-qrexec-agent.service
 ConditionPathExists=/var/run/qubes-service/print-setup
 [Service]
 ExecStart=/usr/bin/socat TCP4-LISTEN:631,reuseaddr,fork,end-close EXEC:"qrexec-client-vm @default qusal.Print"
 Restart=on-failure
 RestartSec=3
 # Hardening
 ProtectSystem=full
 SystemCallArchitectures=native
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 [Install]
 WantedBy=multi-user.target
--- a/salt/sys-print/files/client/systemd/qusal-print-forwarder.socket
+++ b/salt/sys-print/files/client/systemd/qusal-print-forwarder.socket
@ -0,0 +1,17 @@
 # SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 [Unit]
 Description=Forward Print connection over Qrexec
 After=qubes-sysinit.service
 Before=qubes-qrexec-agent.service
 ConditionPathExists=/var/run/qubes-service/print-client
 [Socket]
 ListenStream=127.0.0.1:631
 BindToDevice=lo
 Accept=true
 [Install]
 WantedBy=multi-user.target
--- a/salt/sys-print/files/client/systemd/qusal-print-forwarder@.service
+++ b/salt/sys-print/files/client/systemd/qusal-print-forwarder@.service
@ -0,0 +1,11 @@
 # SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 [Unit]
 Description=Forward Print connection over Qrexec
 [Service]
 ExecStart=/usr/bin/qrexec-client-vm @default qusal.Print
 StandardInput=socket
 StandardOutput=inherit
--- a/salt/sys-print/install-client.sls
+++ b/salt/sys-print/install-client.sls
@ -5,24 +5,16 @@ SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
-"{{ slsdotpath }}-installed-client":
+"{{ slsdotpath }}-client-systemd":
-  pkg.installed:
+  file.recurse:
-    - require:
+    - name: /usr/lib/systemd/system/
-      - sls: utils.tools.common.update
+    - source: salt://{{ slsdotpath }}/files/client/systemd/
-    - install_recommends: False
+    - file_mode: '0644'
-    - skip_suggestions: True
+    - dir_mode: '0755'
    - pkgs:
      - socat
 "{{ slsdotpath }}-client-systemd-print-forwarder":
  file.managed:
    - name: /usr/lib/systemd/system/qusal-print-forwarder.service
    - source: salt://{{ slsdotpath }}/files/client/systemd/qusal-print-forwarder.service
    - mode: '0644'
    - user: root
    - group: root
    - makedirs: True
-"{{ slsdotpath }}-enable-systemd-service-print-forwarder":
+"{{ slsdotpath }}-enable-systemd-service-print-forwarder.socket":
  service.enabled:
-    - name: qusal-print-forwarder.service
+    - name: qusal-print-forwarder.socket
--- a/salt/sys-rsync/README.md
+++ b/salt/sys-rsync/README.md
@ -49,7 +49,7 @@ sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-rsync.install-clien
 The client qube requires the Rsync forwarder service to be enabled:
 ```
-qvm-features QUBE service.rsync-setup 1
+qvm-features QUBE service.rsync-client 1
 ```
 ## Access Control
--- a/salt/sys-rsync/configure.sls
+++ b/salt/sys-rsync/configure.sls
@ -1,6 +1,6 @@
 {#
 SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
-SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@ -8,15 +8,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 include:
  - dev.home-cleanup
 "{{ slsdotpath }}-start-rsync-on-boot":
  file.managed:
    - name: /rw/config/rc.local.d/50-sys-rsync.rc
    - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-rsync.rc
    - mode: '0755'
    - user: root
    - group: root
    - makedirs: True
 "{{ slsdotpath }}-creates-local-rsync-configuration-dir":
  file.directory:
    - name: /usr/local/etc/rsync.d
--- a/salt/sys-rsync/create.sls
+++ b/salt/sys-rsync/create.sls
@ -41,6 +41,7 @@ prefs:
 features:
 - enable:
  - servicevm
  - service.rsync-server
 - disable:
  - service.cups
  - service.cups-browsed
--- a/salt/sys-rsync/files/client/systemd/qusal-rsync-forwarder.socket
+++ b/salt/sys-rsync/files/client/systemd/qusal-rsync-forwarder.socket
@ -3,9 +3,9 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 [Unit]
-Description=Forward connection to Rsync over Qrexec
+Description=Forward Rsync connection over Qrexec
 After=qubes-sysinit.service
-ConditionPathExists=/var/run/qubes-service/rsync-setup
+ConditionPathExists=/var/run/qubes-service/rsync-client
 [Socket]
 ListenStream=127.0.0.1:1839
--- a/salt/sys-rsync/files/client/systemd/qusal-rsync-forwarder@.service
+++ b/salt/sys-rsync/files/client/systemd/qusal-rsync-forwarder@.service
@ -3,7 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 [Unit]
-Description=Forward connection to Rsync over Qrexec
+Description=Forward Rsync connection over Qrexec
 [Service]
 ExecStart=/usr/bin/qrexec-client-vm @default qusal.Rsync
--- a/salt/sys-rsync/files/server/rc.local.d/50-sys-rsync.rc
+++ b/salt/sys-rsync/files/server/rc.local.d/50-sys-rsync.rc
@ -1,8 +0,0 @@
 #!/bin/sh
 # vim: ft=sh
 # SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 systemctl unmask rsync
 systemctl --no-block restart rsync
--- a/salt/sys-rsync/files/server/systemd/rsync.service.d/50_qusal.conf
+++ b/salt/sys-rsync/files/server/systemd/rsync.service.d/50_qusal.conf
@ -0,0 +1,8 @@
 # SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 # vim: ft=systemd
 [Unit]
 ConditionPathExists=/var/run/qubes-service/rsync-server
 After=qubes-sysinit.service
 Before=qubes-qrexec-agent.service
--- a/salt/sys-rsync/install-client.sls
+++ b/salt/sys-rsync/install-client.sls
@ -30,8 +30,8 @@ include:
    - group: root
    - makedirs: True
-"{{ slsdotpath }}-client-systemd-start-qubes-rsync-forwarder.socket":
+"{{ slsdotpath }}-client-systemd-enable-qusal-rsync-forwarder.socket":
  service.enabled:
-    - name: qubes-rsync-forwarder.socket
+    - name: qusal-rsync-forwarder.socket
 {% endif -%}
--- a/salt/sys-rsync/install.sls
+++ b/salt/sys-rsync/install.sls
@ -20,16 +20,22 @@ include:
      - rsync
      - man-db
-"{{ slsdotpath }}-stop-rsync":
+"{{ slsdotpath }}-systemd":
-  service.dead:
+  file.recurse:
    - name: /usr/lib/systemd/system/
    - source: salt://{{ slsdotpath }}/files/server/systemd/
    - dir_mode: '0755'
    - file_mode: '0644'
    - user: root
    - group: root
    - makedirs: True
 "{{ slsdotpath }}-unmask-rsync":
  service.unmasked:
    - name: rsync
-"{{ slsdotpath }}-disable-rsync":
+"{{ slsdotpath }}-enable-rsync":
-  service.disabled:
+  service.enabled:
    - name: rsync
 "{{ slsdotpath }}-mask-rsync":
  service.masked:
    - name: rsync
 "{{ slsdotpath }}-set-rsyncd.conf":
--- a/salt/sys-ssh-agent/README.md
+++ b/salt/sys-ssh-agent/README.md
@ -150,7 +150,7 @@ Or you can manually add the key to the agent which are not located under the
 `~/.ssh/identities.d` directory so they aren't automatically added (substitute
 AGENT, SECS, and LIFE for their appropriate values):
 ```sh
-SSH_AUTH_SOCK="/run/user/1000/qubes-ssh-agent/<AGENT>.sock" ssh-add -t <SECS> -f <FILE>
+SSH_AUTH_SOCK="/run/user/1000/qusal-ssh-agent/<AGENT>.sock" ssh-add -t <SECS> -f <FILE>
 ```
 #### Reload agent
@ -177,17 +177,17 @@ qvm-ssh-agent ls <AGENT>
 Enable and start the connection to the SSH Agent via Qrexec for specified
 `<AGENT>`:
 ```sh
-sudo systemctl --no-block restart qubes-ssh-agent-forwarder@<AGENT>.service
+sudo systemctl --no-block restart qusal-ssh-agent-forwarder@<AGENT>.service
-sudo systemctl --no-block restart qubes-ssh-agent-forwarder@personal.service
+sudo systemctl --no-block restart qusal-ssh-agent-forwarder@personal.service
 ```
 You can start the service on boot if you place the above line
 `/rw/config/rc.local` of the client.
-The ssh-agent socket will be at `/tmp/qubes-ssh-agent-forwarder/<AGENT>.sock`.
+The ssh-agent socket will be at `/tmp/qusal-ssh-agent-forwarder/<AGENT>.sock`.
 You can test the connection is working with:
 ```sh
-SSH_AUTH_SOCK="/tmp/qubes-ssh-agent-forwarder/personal.sock" ssh-add -l
+SSH_AUTH_SOCK="/tmp/qusal-ssh-agent-forwarder/personal.sock" ssh-add -l
 ```
 #### Single agent per client
@ -196,8 +196,8 @@ You might want to set the `SSH_AUTH_SOCK` and `SSH_AGENT_PID` environment
 variables to point to the `work` agent so every connection will use the same
 agent:
 ```sh
-echo 'export SSH_AUTH_SOCK=/tmp/qubes-ssh-agent-forwarder/work.sock;
+echo 'export SSH_AUTH_SOCK=/tmp/qusal-ssh-agent-forwarder/work.sock;
-SSH_AGENT_PID="$(pgrep -f "/tmp/qubes-ssh-agent-forwarder/work.sock")";
+SSH_AGENT_PID="$(pgrep -f "/tmp/qusal-ssh-agent-forwarder/work.sock")";
 ' | tee -a ~/.profile
 ```
@ -210,19 +210,19 @@ the `IdentityAgent` option.
 You can control the SSH agent via SSH command-line option:
 ```sh
-ssh -o IdentityAgent=/tmp/qubes-ssh-agent-forwarder/personal.sock personal-site.com
+ssh -o IdentityAgent=/tmp/qusal-ssh-agent-forwarder/personal.sock personal-site.com
-ssh -o IdentityAgent=/tmp/qubes-ssh-agent-forwarder/work.sock work-site.com
+ssh -o IdentityAgent=/tmp/qusal-ssh-agent-forwarder/work.sock work-site.com
 ```
 You can control the SSH agent via SSH configuration:
 ```sshconfig
 Host personal
-        IdentityAgent /tmp/qubes-ssh-agent-forwarder/personal.sock
+        IdentityAgent /tmp/qusal-ssh-agent-forwarder/personal.sock
        ...
 Host work
-        IdentityAgent /tmp/qubes-ssh-agent-forwarder/work.sock
+        IdentityAgent /tmp/qusal-ssh-agent-forwarder/work.sock
        ...
 ```
 ## Credits
- [Unman](https://github.com/unman/qubes-ssh-agent)
+- [Unman](https://github.com/unman/qusal-ssh-agent)
--- a/salt/sys-ssh-agent/files/client/systemd/qusal-ssh-agent-forwarder@.service
+++ b/salt/sys-ssh-agent/files/client/systemd/qusal-ssh-agent-forwarder@.service
@ -1,9 +1,9 @@
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 [Unit]
-Description=SSH Agent Forwarder to Qrexec SSH Agent %i
+Description=Forward SSH Agent %i over Qrexec
 [Service]
 User=user
--- a/salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent
+++ b/salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent
@ -1,12 +1,12 @@
 #!/bin/sh
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 set -eu
-service="qubes-ssh-agent"
+service="qusal-ssh-agent"
 usage(){
  echo "Usage: ${0##*/} [ls|add] <AGENT>
--- a/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent
+++ b/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent
@ -24,7 +24,7 @@ if test "${#untrusted_agent}" -gt 128; then
 fi
 agent="${untrusted_agent}"
-socket="/tmp/qubes-ssh-agent/${agent}.sock"
+socket="/tmp/qusal-ssh-agent/${agent}.sock"
 qvm-ssh-agent add "${agent}" >/dev/null
 exec socat STDIO UNIX-CLIENT:"${socket}"
--- a/salt/sys-ssh/README.md
+++ b/salt/sys-ssh/README.md
@ -39,7 +39,6 @@ sudo qubesctl top.disable sys-ssh
 ```sh
 sudo qubesctl state.apply sys-ssh.create
 sudo qubesctl --skip-dom0 --targets=tpl-sys-ssh state.apply sys-ssh.install
 sudo qubesctl --skip-dom0 --targets=sys-ssh state.apply sys-ssh.configure
 ```
 <!-- pkg:end:post-install -->
@ -50,7 +49,7 @@ sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-ssh.install-client
 The client qube requires the SSH forwarder service to be enabled:
 ```
-qvm-features QUBE service.ssh-setup 1
+qvm-features QUBE service.ssh-client 1
 ```
 ## Access Control
--- a/salt/sys-ssh/configure.sls
+++ b/salt/sys-ssh/configure.sls
@ -1,30 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
 SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 {% if grains['nodename'] != 'dom0' -%}
 include:
  - dev.home-cleanup
 "{{ slsdotpath }}-start-ssh-on-boot":
  file.managed:
    - name: /rw/config/rc.local.d/50-sys-ssh.rc
    - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-ssh.rc
    - mode: '0755'
    - user: root
    - group: root
    - makedirs: True
 "{{ slsdotpath }}-creates-home-ssh-dir":
  file.directory:
    - name: /home/user/.ssh
    - mode: '0700'
    - user: user
    - group: user
    - makedirs: True
 {% endif -%}
--- a/salt/sys-ssh/configure.top
+++ b/salt/sys-ssh/configure.top
@ -1,9 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 base:
  'sys-ssh':
    - sys-ssh.configure
--- a/salt/sys-ssh/create.sls
+++ b/salt/sys-ssh/create.sls
@ -41,6 +41,7 @@ prefs:
 features:
 - enable:
  - servicevm
  - service.ssh-server
 - disable:
  - service.cups
  - service.cups-browsed
--- a/salt/sys-ssh/files/client/ssh_config.d/50-qusal-sys-ssh.conf
+++ b/salt/sys-ssh/files/client/ssh_config.d/50-qusal-sys-ssh.conf
@ -0,0 +1,11 @@
 # vim: ft=sshconfig
 # SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 Host default-qubes-server
        Hostname 127.0.0.1
        User user
        Port 1840
        StrictHostKeyChecking no
--- a/salt/sys-ssh/files/client/systemd/qusal-ssh-forwarder.socket
+++ b/salt/sys-ssh/files/client/systemd/qusal-ssh-forwarder.socket
@ -0,0 +1,17 @@
 # SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 [Unit]
 Description=Forward SSH connection over Qrexec
 After=qubes-sysinit.service
 Before=qubes-qrexec-agent.service
 ConditionPathExists=/var/run/qubes-service/ssh-client
 [Socket]
 ListenStream=127.0.0.1:1840
 BindToDevice=lo
 Accept=true
 [Install]
 WantedBy=multi-user.target
--- a/salt/sys-ssh/files/client/systemd/qusal-ssh-forwarder@.service
+++ b/salt/sys-ssh/files/client/systemd/qusal-ssh-forwarder@.service
@ -1,9 +1,9 @@
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com
+# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 [Unit]
-Description=Forward connection to SSH over Qrexec
+Description=Forward SSH connection over Qrexec
 [Service]
 ExecStart=/usr/bin/qrexec-client-vm @default qusal.Ssh
--- a/salt/sys-ssh/files/server/rc.local.d/50-sys-ssh.rc
+++ b/salt/sys-ssh/files/server/rc.local.d/50-sys-ssh.rc
@ -1,8 +0,0 @@
 #!/bin/sh
 # vim: ft=sh
 # SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 systemctl unmask ssh
 systemctl --no-block restart ssh
--- a/salt/sys-ssh/files/server/sshd_config.d/50-qusal-sys-ssh.conf
+++ b/salt/sys-ssh/files/server/sshd_config.d/50-qusal-sys-ssh.conf
--- a/salt/sys-ssh/files/server/systemd/ssh.service.d/50_qusal.conf
+++ b/salt/sys-ssh/files/server/systemd/ssh.service.d/50_qusal.conf
@ -0,0 +1,8 @@
 # SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 # vim: ft=systemd
 [Unit]
 ConditionPathExists=/var/run/qubes-service/ssh-server
 After=qubes-sysinit.service
 Before=qubes-qrexec-agent.service
--- a/salt/sys-ssh/init.top
+++ b/salt/sys-ssh/init.top
@ -10,5 +10,3 @@ base:
    - sys-ssh.create
  'tpl-sys-ssh':
    - sys-ssh.install
  'sys-ssh':
    - sys-ssh.configure
--- a/salt/sys-ssh/install-client.sls
+++ b/salt/sys-ssh/install-client.sls
@ -28,6 +28,15 @@ include:
    - skip_suggestions: True
    - pkgs: {{ pkg.pkg|sequence|yaml }}
 "{{ slsdotpath }}-ssh-config":
  file.managed:
    - name: /etc/ssh/ssh_config.d/50-qusal-{{ slsdotpath }}.conf
    - source: salt://{{ slsdotpath }}/files/client/ssh_config.d/50-qusal-{{ slsdotpath }}.conf
    - mode: '0644'
    - user: root
    - group: root
    - makedirs: True
 "{{ slsdotpath }}-client-systemd":
  file.recurse:
    - name: /usr/lib/systemd/system/
@ -38,8 +47,8 @@ include:
    - group: root
    - makedirs: True
-"{{ slsdotpath }}-client-systemd-start-qubes-ssh-forwarder.socket":
+"{{ slsdotpath }}-client-systemd-start-qusal-ssh-forwarder.socket":
  service.enabled:
-    - name: qubes-ssh-forwarder.socket
+    - name: qusal-ssh-forwarder.socket
 {% endif -%}
--- a/salt/sys-ssh/install.sls
+++ b/salt/sys-ssh/install.sls
@ -20,16 +20,21 @@ include:
      - openssh-server
      - man-db
-"{{ slsdotpath }}-stop-ssh":
+"{{ slsdotpath }}-ssh-systemd-service":
-  service.dead:
+  file.managed:
    - name: /usr/lib/systemd/system/ssh.service.d/50_qusal.conf
    - source: salt://{{ slsdotpath }}/files/server/systemd/ssh.service.d/50_qusal.conf
    - mode: '0644'
    - user: root
    - group: root
    - makedirs: True
 "{{ slsdotpath }}-unmask-ssh":
  service.unmasked:
    - name: ssh
-"{{ slsdotpath }}-disable-ssh":
+"{{ slsdotpath }}-enable-ssh":
-  service.disabled:
+  service.enabled:
    - name: ssh
 "{{ slsdotpath }}-mask-ssh":
  service.masked:
    - name: ssh
 "{{ slsdotpath }}-rpc":
@ -52,9 +57,9 @@ include:
 "{{ slsdotpath }}-sshd-config":
  file.managed:
-    - name: /etc/ssh/sshd_config.d/{{ slsdotpath }}.conf
+    - name: /etc/ssh/sshd_config.d/50-qusal-{{ slsdotpath }}.conf
-    - source: salt://{{ slsdotpath }}/files/server/sshd_config.d/{{ slsdotpath }}.conf
+    - source: salt://{{ slsdotpath }}/files/server/sshd_config.d/50-qusal-{{ slsdotpath }}.conf
-    - mode: '0755'
+    - mode: '0644'
    - user: root
    - group: root
    - makedirs: True
--- a/salt/sys-syncthing/README.md
+++ b/salt/sys-syncthing/README.md
@ -52,9 +52,11 @@ Install Syncthing on the client template:
 sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-syncthing.install-client
 ```
-The client qube requires the split Syncthing service to be enabled:
+The client qube requires the split Syncthing and the Syncthing Daemon service
 to be enabled:
 ```sh
-qvm-features QUBE service.syncthing-setup 1
+qvm-features QUBE service.syncthing-client 1
 qvm-features QUBE service.syncthing-server 1
 ```
 ## Access Control
@ -87,8 +89,8 @@ interface. In other words, it has control over the server functions, if the
 browser is compromised, it can compromise the server.
 To use the service, from the client, add a Remote Device, and copy the
-`DeviceID` from the server qube. On the Advanced tab, under Addresses, change
+`DeviceID` from the server qube. On the `Advanced` tab, under `Addresses`,
-`dynamic` to `tcp://127.0.0.1:22001`
+change `dynamic` to `tcp://127.0.0.1:22001`
 If the sender qube has no netvm set, under `Settings`, disable `Enable NAT
 traversal`, `Local Discovery`, `Global Discovery`, and `Enable Relaying`
@ -119,7 +121,6 @@ Uninstallation procedure:
 ```sh
 qvm-port-forward -a del -q sys-syncthing -n tcp -p 22000
 qvm-port-forward -a del -q sys-syncthing -n udp -p 22000
 sudo qubesctl --skip-dom0 --targets=sys-syncthing state.apply sys-syncthing.cancel
 sudo qubesctl state.apply sys-syncthing.clean
 ```
 <!-- pkg:end:preun-uninstall -->
--- a/salt/sys-syncthing/cancel.sls
+++ b/salt/sys-syncthing/cancel.sls
@ -1,9 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 "{{ slsdotpath }}-remove-service-from-rc.local":
  file.absent:
    - name: /rw/config/rc.local.d/50-sys-syncthing.rc
--- a/salt/sys-syncthing/cancel.top
+++ b/salt/sys-syncthing/cancel.top
@ -1,9 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 base:
  'sys-syncthing':
    - sys-syncthing.configure
--- a/salt/sys-syncthing/clean.sls
+++ b/salt/sys-syncthing/clean.sls
@ -11,5 +11,11 @@ SPDX-License-Identifier: AGPL-3.0-or-later
    - flags:
      - force
 "{{ slsdotpath }}-stop-syncthing-from-starting":
  qvm.features:
    - name: {{ slsdotpath }}
    - disable:
      - service.syncthing-server
 {% from 'utils/macros/policy.sls' import policy_unset with context -%}
 {{ policy_unset(sls_path, '80') }}
--- a/salt/sys-syncthing/configure-browser.sls
+++ b/salt/sys-syncthing/configure-browser.sls
@ -18,6 +18,15 @@ include:
    - group: root
    - makedirs: True
 "{{ slsdotpath }}-browser-systemd-services":
  file.recurse:
    - name: /rw/config/systemd/
    - source: salt://{{ slsdotpath }}/files/browser/systemd/
    - dir_mode: '0755'
    - file_mode: '0644'
    - user: root
    - group: root
    - makedirs: True
 "{{ slsdotpath }}-browser-desktop-application":
  file.managed:
--- a/salt/sys-syncthing/configure.sls
+++ b/salt/sys-syncthing/configure.sls
@ -1,5 +1,4 @@
 {#
 SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
 SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
@ -7,12 +6,4 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 include:
  - dotfiles.copy-xfce
-
+  - dotfiles.copy-x11
 "{{ slsdotpath }}-rc.local":
  file.managed:
    - name: /rw/config/rc.local.d/50-sys-syncthing.rc
    - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-syncthing.rc
    - mode: '0755'
    - user: root
    - group: root
    - makedirs: True
--- a/salt/sys-syncthing/create.sls
+++ b/salt/sys-syncthing/create.sls
@ -56,6 +56,7 @@ prefs:
 features:
 - enable:
  - servicevm
  - service.syncthing-server
 - disable:
  - service.cups
  - service.cups-browsed
@ -83,6 +84,8 @@ prefs:
 - autostart: False
 - include_in_backups: False
 features:
 - enable:
  - service.syncthing-browser
 - disable:
  - service.cups
  - service.cups-browsed
--- a/salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc
+++ b/salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc
@ -1,7 +1,9 @@
 #!/bin/sh
 # vim: ft=sh
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
-qvm-connect-tcp 8384:@default:8384
+cp -r /rw/config/systemd/qusal-syncthing-browser-forwarder* /usr/lib/systemd/system/
 systemctl daemon-reload
 systemctl --no-block restart qusal-syncthing-browser-forwarder.socket
--- a/salt/sys-syncthing/files/browser/systemd/qusal-syncthing-browser-forwarder.socket
+++ b/salt/sys-syncthing/files/browser/systemd/qusal-syncthing-browser-forwarder.socket
@ -0,0 +1,17 @@
 # SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 [Unit]
 Description=Forward Syncthing Admin Panel connection over Qrexec
 After=qubes-sysinit.service
 Before=qubes-qrexec-agent.service
 ConditionPathExists=/var/run/qubes-service/syncthing-browser
 [Socket]
 ListenStream=127.0.0.1:8384
 BindToDevice=lo
 Accept=true
 [Install]
 WantedBy=multi-user.target
--- a/salt/sys-syncthing/files/browser/systemd/qusal-syncthing-browser-forwarder@.service
+++ b/salt/sys-syncthing/files/browser/systemd/qusal-syncthing-browser-forwarder@.service
@ -0,0 +1,11 @@
 # SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 [Unit]
 Description=Forward Syncthing Admin Panel connection over Qrexec
 [Service]
 ExecStart=/usr/bin/qrexec-client-vm @default qubes.ConnectTCP+8384
 StandardInput=socket
 StandardOutput=inherit
--- a/salt/sys-syncthing/files/client/systemd/qubes-syncthing-forwarder.service
+++ b/salt/sys-syncthing/files/client/systemd/qubes-syncthing-forwarder.service
@ -1,25 +0,0 @@
 ## SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
 ## SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 ##
 ## SPDX-License-Identifier: AGPL-3.0-or-later
 [Unit]
 Description=Syncthing over Qrexec
 After=qubes-sysinit.service
 After=qubes-qrexec-agent.service
 ConditionPathExists=/var/run/qubes-service/syncthing-setup
 [Service]
 ExecStart=/usr/bin/socat TCP4-LISTEN:22001,reuseaddr,fork,end-close EXEC:"qrexec-client-vm @default qusal.Syncthing"
 Restart=on-failure
 RestartSec=3
 # Hardening
 ProtectSystem=full
 PrivateTmp=true
 SystemCallArchitectures=native
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 [Install]
 WantedBy=multi-user.target
--- a/salt/sys-syncthing/files/client/systemd/qusal-syncthing-forwarder.socket
+++ b/salt/sys-syncthing/files/client/systemd/qusal-syncthing-forwarder.socket
@ -0,0 +1,17 @@
 # SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 [Unit]
 Description=Forward Syncthing connection over Qrexec
 After=qubes-sysinit.service
 Before=qubes-qrexec-agent.service
 ConditionPathExists=/var/run/qubes-service/syncthing-client
 [Socket]
 ListenStream=127.0.0.1:22001
 BindToDevice=lo
 Accept=true
 [Install]
 WantedBy=multi-user.target
--- a/Show more
+++ b/Show more