From a17f9f5250dcd42e7c5dbfe46fe771722a6a5b06 Mon Sep 17 00:00:00 2001
From: Ben Grande <ben.grande.b@gmail.com>
Date: Fri, 5 Jan 2024 17:24:14 +0100
Subject: [PATCH] feat: unattended qubes-builder build

Split-gpg2 allows to isolate GPG home directories. In the future,
enforcing this setting via drop-in configuration would be safer, depends
on https://github.com/QubesOS/qubes-issues/issues/8792.
---
 salt/qubes-builder/README.md                         | 6 ++----
 salt/qubes-builder/files/admin/policy/default.policy | 4 ++--
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/salt/qubes-builder/README.md b/salt/qubes-builder/README.md
index 586fb3a..bc9f1cc 100644
--- a/salt/qubes-builder/README.md
+++ b/salt/qubes-builder/README.md
@@ -49,10 +49,8 @@ qubesctl --skip-dom0 --targets=qubes-builder state.apply qubes-builder.configure
 
 The policy is based on `qubes-builderv2/rpc/50-qubesbuilder.policy`.
 Extra services added are `qubes.Gpg2`, `qusal.GitInit`, `qusal.GitFetch`,
-`qusal.GitPush`, `qusal.SshAgent`.
-
-Out of these services, if an argument `+qubes-builder` can be specified to
-limit the scope, the action is `allowed`, else the action is to `ask`.
+`qusal.GitPush`, `qusal.SshAgent`. Necessary services are allowed to have an
+unattended build.
 
 ## Usage
 
diff --git a/salt/qubes-builder/files/admin/policy/default.policy b/salt/qubes-builder/files/admin/policy/default.policy
index 5953898..a5ff04f 100644
--- a/salt/qubes-builder/files/admin/policy/default.policy
+++ b/salt/qubes-builder/files/admin/policy/default.policy
@@ -5,11 +5,11 @@
 
 ## Do not modify this file, create a new policy with with a lower number in the
 ## file name instead. For example `30-user.policy`.
-qubes.Gpg2 * {{ sls_path }} @default ask target=sys-pgp default_target=sys-pgp
+qubes.Gpg2 * {{ sls_path }} @default allow target=sys-pgp
 
 qusal.GitInit  +qubes-builder {{ sls_path }} @default allow target=sys-git
 qusal.GitFetch +qubes-builder {{ sls_path }} @default allow target=sys-git
-qusal.GitPush  +qubes-builder {{ sls_path }} @default ask   target=sys-git default_target=sys-pgp
+qusal.GitPush  +qubes-builder {{ sls_path }} @default ask   target=sys-git default_target=sys-git
 
 qusal.SshAgent +qubes-builder {{ sls_path }} @default allow target=sys-ssh-agent
 qusal.SshAgent +qubes-builder {{ sls_path }} @anyvm deny