feat: unattended qubes-builder build

Split-gpg2 allows to isolate GPG home directories. In the future, enforcing this setting via drop-in configuration would be safer, depends on https://github.com/QubesOS/qubes-issues/issues/8792.
2024-10-01 02:35:49 -04:00 · 2024-01-05 17:24:14 +01:00 · 2024-01-05 17:24:14 +01:00 · a17f9f5250
commit a17f9f5250
parent 692659e22d
2 changed files with 4 additions and 6 deletions
--- a/salt/qubes-builder/README.md
+++ b/salt/qubes-builder/README.md
@ -49,10 +49,8 @@ qubesctl --skip-dom0 --targets=qubes-builder state.apply qubes-builder.configure

 The policy is based on `qubes-builderv2/rpc/50-qubesbuilder.policy`.
 Extra services added are `qubes.Gpg2`, `qusal.GitInit`, `qusal.GitFetch`,
-`qusal.GitPush`, `qusal.SshAgent`.
-
-Out of these services, if an argument `+qubes-builder` can be specified to
-limit the scope, the action is `allowed`, else the action is to `ask`.
+`qusal.GitPush`, `qusal.SshAgent`. Necessary services are allowed to have an
+unattended build.

 ## Usage

--- a/salt/qubes-builder/files/admin/policy/default.policy
+++ b/salt/qubes-builder/files/admin/policy/default.policy
@ -5,11 +5,11 @@

 ## Do not modify this file, create a new policy with with a lower number in the
 ## file name instead. For example `30-user.policy`.
-qubes.Gpg2 * {{ sls_path }} @default ask target=sys-pgp default_target=sys-pgp
+qubes.Gpg2 * {{ sls_path }} @default allow target=sys-pgp

 qusal.GitInit  +qubes-builder {{ sls_path }} @default allow target=sys-git
 qusal.GitFetch +qubes-builder {{ sls_path }} @default allow target=sys-git
-qusal.GitPush  +qubes-builder {{ sls_path }} @default ask   target=sys-git default_target=sys-pgp
+qusal.GitPush  +qubes-builder {{ sls_path }} @default ask   target=sys-git default_target=sys-git

 qusal.SshAgent +qubes-builder {{ sls_path }} @default allow target=sys-ssh-agent
 qusal.SshAgent +qubes-builder {{ sls_path }} @anyvm deny