From b4d142b640027a4398c12cc124c361bb1e0bef12 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Tue, 19 Dec 2023 22:50:59 +0100 Subject: [PATCH] refactor: move appended states to drop-in rc.local --- salt/ansible/configure-minion.sls | 5 ++- salt/ansible/configure.sls | 5 ++- salt/ansible/files/client/rc.local | 2 - .../files/client/rc.local.d/50-ansible.rc | 8 ++++ salt/ansible/files/server/rc.local | 1 - .../files/server/rc.local.d/50-ansible.rc | 7 ++++ salt/docker/configure.sls | 13 +++--- .../files/client/rc.local.d/50-docker.rc | 9 ++++ .../configure-qubes-executor.sls | 14 ++++--- .../50-qubes-builder.conf} | 0 salt/qubes-builder/files/server/rc.local | 1 - .../server/rc.local.d/50-qubes-builder.rc | 7 ++++ salt/sys-cacher/configure-browser.sls | 10 +++-- salt/sys-cacher/configure.sls | 32 ++++++++------- .../files/browser/rc.local.d/50-sys-cacher.rc | 7 ++++ .../lib-qubes-bind-dirs.d/50-sys-cacher.conf | 9 ++++ .../50-sys-cacher.conf} | 0 .../server/qubes-firewall.d/50-sys-cacher | 7 ++++ .../files/server/rc.local.d/50-sys-cacher.rc | 11 +++++ salt/sys-cacher/install.sls | 11 +++-- salt/sys-pihole/configure-browser.sls | 12 ++++-- .../files/browser/rc.local.d/50-sys-pihole.rc | 7 ++++ salt/sys-rsync/configure.sls | 10 +++-- salt/sys-rsync/files/server/rc.local | 2 - .../files/server/rc.local.d/50-sys-rsync.rc | 8 ++++ salt/sys-ssh/configure.sls | 10 +++-- salt/sys-ssh/files/server/rc.local | 2 - .../files/server/rc.local.d/50-sys-ssh.rc | 8 ++++ salt/sys-syncthing/cancel.sls | 7 +--- salt/sys-syncthing/configure-browser.sls | 11 +++-- salt/sys-syncthing/configure.sls | 14 ++++--- .../browser/rc.local.d/50-sys-syncthing.rc | 7 ++++ .../server/rc.local.d/50-sys-syncthing.rc | 8 ++++ salt/sys-wireguard/configure.sls | 41 +++++++++++-------- .../{00-vpn.sh => 50-sys-wireguard-pre} | 0 .../qubes-firewall.d/60-sys-wireguard-filter | 10 +++++ .../server/rc.local.d/50-sys-wireguard.rc | 7 ++++ .../server/{set-wg-conf.sh => wg-conf.sh} | 0 38 files changed, 237 insertions(+), 86 deletions(-) delete mode 100755 salt/ansible/files/client/rc.local create mode 100755 salt/ansible/files/client/rc.local.d/50-ansible.rc delete mode 100755 salt/ansible/files/server/rc.local create mode 100755 salt/ansible/files/server/rc.local.d/50-ansible.rc create mode 100755 salt/docker/files/client/rc.local.d/50-docker.rc rename salt/qubes-builder/files/server/{builder.conf => qubes-bind-dirs.d/50-qubes-builder.conf} (100%) delete mode 100644 salt/qubes-builder/files/server/rc.local create mode 100755 salt/qubes-builder/files/server/rc.local.d/50-qubes-builder.rc create mode 100755 salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc create mode 100755 salt/sys-cacher/files/server/lib-qubes-bind-dirs.d/50-sys-cacher.conf rename salt/sys-cacher/files/server/{bind-dirs/50_cacher.conf => qubes-bind-dirs.d/50-sys-cacher.conf} (100%) create mode 100755 salt/sys-cacher/files/server/qubes-firewall.d/50-sys-cacher create mode 100755 salt/sys-cacher/files/server/rc.local.d/50-sys-cacher.rc create mode 100755 salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc delete mode 100644 salt/sys-rsync/files/server/rc.local create mode 100755 salt/sys-rsync/files/server/rc.local.d/50-sys-rsync.rc delete mode 100644 salt/sys-ssh/files/server/rc.local create mode 100755 salt/sys-ssh/files/server/rc.local.d/50-sys-ssh.rc create mode 100755 salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc create mode 100755 salt/sys-syncthing/files/server/rc.local.d/50-sys-syncthing.rc rename salt/sys-wireguard/files/server/qubes-firewall.d/{00-vpn.sh => 50-sys-wireguard-pre} (100%) create mode 100755 salt/sys-wireguard/files/server/qubes-firewall.d/60-sys-wireguard-filter create mode 100755 salt/sys-wireguard/files/server/rc.local.d/50-sys-wireguard.rc rename salt/sys-wireguard/files/server/{set-wg-conf.sh => wg-conf.sh} (100%) diff --git a/salt/ansible/configure-minion.sls b/salt/ansible/configure-minion.sls index 2c09af9..76b9e7e 100644 --- a/salt/ansible/configure-minion.sls +++ b/salt/ansible/configure-minion.sls @@ -8,11 +8,12 @@ SPDX-License-Identifier: AGPL-3.0-or-later "{{ slsdotpath }}-minion-start-sshd": file.managed: - - name: /rw/config/rc.local - - source: salt://{{ slsdotpath }}/files/client/rc.local + - name: /rw/config/rc.local.d/50-ansible.rc + - source: salt://{{ slsdotpath }}/files/client/rc.local.d/50-ansible.rc - mode: '0755' - user: root - group: root + - makedirs: True "{{ slsdotpath }}-minion-ssh-authorized_keys": file.touch: diff --git a/salt/ansible/configure.sls b/salt/ansible/configure.sls index 3e83280..f9f876b 100644 --- a/salt/ansible/configure.sls +++ b/salt/ansible/configure.sls @@ -8,11 +8,12 @@ SPDX-License-Identifier: AGPL-3.0-or-later "{{ slsdotpath }}-autostart-ssh-over-qrexec": file.managed: - - name: /rw/config/rc.local - - source: salt://{{ slsdotpath }}/files/server/rc.local + - name: /rw/config/rc.local.d/50-ansible.rc + - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-ansible.rc - mode: '0755' - user: root - group: root + - makedirs: True "{{ slsdotpath }}-ssh-config": file.managed: diff --git a/salt/ansible/files/client/rc.local b/salt/ansible/files/client/rc.local deleted file mode 100755 index 37ff103..0000000 --- a/salt/ansible/files/client/rc.local +++ /dev/null @@ -1,2 +0,0 @@ -systemctl unmask ssh -systemctl --no-block start ssh diff --git a/salt/ansible/files/client/rc.local.d/50-ansible.rc b/salt/ansible/files/client/rc.local.d/50-ansible.rc new file mode 100755 index 0000000..4447a22 --- /dev/null +++ b/salt/ansible/files/client/rc.local.d/50-ansible.rc @@ -0,0 +1,8 @@ +#!/bin/sh +# vim: ft=sh +# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +systemctl unmask ssh +systemctl --no-block start ssh diff --git a/salt/ansible/files/server/rc.local b/salt/ansible/files/server/rc.local deleted file mode 100755 index b60d619..0000000 --- a/salt/ansible/files/server/rc.local +++ /dev/null @@ -1 +0,0 @@ -qvm-connect-tcp 22000:@default:22 diff --git a/salt/ansible/files/server/rc.local.d/50-ansible.rc b/salt/ansible/files/server/rc.local.d/50-ansible.rc new file mode 100755 index 0000000..625bf84 --- /dev/null +++ b/salt/ansible/files/server/rc.local.d/50-ansible.rc @@ -0,0 +1,7 @@ +#!/bin/sh +# vim: ft=sh +# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +qvm-connect-tcp 22000:@default:22 diff --git a/salt/docker/configure.sls b/salt/docker/configure.sls index 66fc3c9..cd53c21 100644 --- a/salt/docker/configure.sls +++ b/salt/docker/configure.sls @@ -7,11 +7,12 @@ SPDX-License-Identifier: AGPL-3.0-or-later {% if grains['nodename'] != 'dom0' -%} "{{ slsdotpath }}-rc.local": - file.append: - - name: /rw/config/rc.local - - text: | - usermod -aG docker user - systemctl unmask docker - systemctl --no-block restart docker + file.managed: + - name: /rw/config/rc.local.d/50-docker.rc + - source: salt://{{ slsdotpath }}/files/client/rc.local.d/50-docker.rc + - mode: '0755' + - user: root + - group: root + - makedirs: True {% endif -%} diff --git a/salt/docker/files/client/rc.local.d/50-docker.rc b/salt/docker/files/client/rc.local.d/50-docker.rc new file mode 100755 index 0000000..a255d35 --- /dev/null +++ b/salt/docker/files/client/rc.local.d/50-docker.rc @@ -0,0 +1,9 @@ +#!/bin/sh +# vim: ft=sh +# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +usermod -aG docker user +systemctl unmask docker +systemctl --no-block restart docker diff --git a/salt/qubes-builder/configure-qubes-executor.sls b/salt/qubes-builder/configure-qubes-executor.sls index a1855dd..f5568ed 100644 --- a/salt/qubes-builder/configure-qubes-executor.sls +++ b/salt/qubes-builder/configure-qubes-executor.sls @@ -31,16 +31,20 @@ include: "{{ slsdotpath }}-executor-bind-dirs": file.managed: - - name: /rw/config/qubes-bind-dirs.d/builder.conf - - source: salt://{{ slsdotpath }}/files/server/builder.conf + - name: /rw/config/qubes-bind-dirs.d/50-qubes-builder.conf + - source: salt://{{ slsdotpath }}/files/server/qubes-bind-dirs.d/50-qubes-builder.conf - user: root - group: root - mode: '0644' - makedirs: True "{{ slsdotpath }}-executor-rc.local": - file.append: - - name: /rw/config/rc.local - - text: "mount /builder -o dev,suid,remount" + file.managed: + - name: /rw/config/rc.local.d/50-qubes-builder.rc + - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-qubes-builder.rc + - user: root + - group: root + - mode: '0755' + - makedirs: True {% endif -%} diff --git a/salt/qubes-builder/files/server/builder.conf b/salt/qubes-builder/files/server/qubes-bind-dirs.d/50-qubes-builder.conf similarity index 100% rename from salt/qubes-builder/files/server/builder.conf rename to salt/qubes-builder/files/server/qubes-bind-dirs.d/50-qubes-builder.conf diff --git a/salt/qubes-builder/files/server/rc.local b/salt/qubes-builder/files/server/rc.local deleted file mode 100644 index b585b34..0000000 --- a/salt/qubes-builder/files/server/rc.local +++ /dev/null @@ -1 +0,0 @@ -mount /builder -o dev,suid,remount diff --git a/salt/qubes-builder/files/server/rc.local.d/50-qubes-builder.rc b/salt/qubes-builder/files/server/rc.local.d/50-qubes-builder.rc new file mode 100755 index 0000000..59b354d --- /dev/null +++ b/salt/qubes-builder/files/server/rc.local.d/50-qubes-builder.rc @@ -0,0 +1,7 @@ +#!/bin/sh +# vim: ft=sh +# SPDX-FileCopyrightText: 2023 The Qubes OS Project +# +# SPDX-License-Identifier: GPL-2.0-only + +mount /builder -o dev,suid,remount diff --git a/salt/sys-cacher/configure-browser.sls b/salt/sys-cacher/configure-browser.sls index eee3196..35701a2 100644 --- a/salt/sys-cacher/configure-browser.sls +++ b/salt/sys-cacher/configure-browser.sls @@ -7,9 +7,13 @@ SPDX-License-Identifier: AGPL-3.0-or-later {% if grains['nodename'] != 'dom0' %} "{{ slsdotpath }}-browser-rc.local": - file.append: - - name: /rw/config/rc.local - - text: "qvm-connect-tcp 8082:@default:8082" + file.managed: + - name: /rw/config/rc.local.d/50-sys-cacher.rc + - source: salt://{{ slsdotpath }}/files/browser/rc.local.d/50-sys-cacher.rc + - mode: '0755' + - user: root + - group: root + - makedirs: True "{{ slsdotpath }}-browser-desktop-application": file.managed: diff --git a/salt/sys-cacher/configure.sls b/salt/sys-cacher/configure.sls index f7c88c3..841efdf 100644 --- a/salt/sys-cacher/configure.sls +++ b/salt/sys-cacher/configure.sls @@ -10,24 +10,28 @@ include: - dotfiles.copy-x11 "{{ slsdotpath }}-install-rc.local": - file.append: - - name: /rw/config/rc.local - - text: | - chown -R apt-cacher-ng:apt-cacher-ng /var/log/apt-cacher-ng - chown -R apt-cacher-ng:apt-cacher-ng /var/cache/apt-cacher-ng - systemctl unmask qubes-apt-cacher-ng - systemctl --no-block restart qubes-apt-cacher-ng - nft 'insert rule ip filter INPUT tcp dport 8082 counter accept' + file.managed: + - name: /rw/config/rc.local.d/50-sys-cacher.rc + - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-cacher.rc + - mode: '0755' + - user: root + - group: root + - makedirs: True -"{{ slsdotpath }}-install-qubes-firewall-user-script": - file.append: - - name: /rw/config/qubes-firewall-user-script - - text: nft 'insert rule ip filter INPUT tcp dport 8082 counter accept' +"{{ slsdotpath }}-install-qubes-firewall": + file.managed: + - name: /rw/config/qubes-firewall.d/50-sys-cacher + - source: salt://{{ slsdotpath }}/files/server/qubes-firewall.d/50-sys-cacher + - mode: '0755' + - user: root + - group: root + - makedirs: True "{{ slsdotpath }}-bind-dirs": file.managed: - - name: /rw/config/qubes-bind-dirs.d/50_cacher.conf - - source: salt://{{ slsdotpath }}/files/server/bind-dirs/50_cacher.conf + - name: /rw/config/qubes-bind-dirs.d/50-sys-cacher.conf + - source: salt://{{ slsdotpath }}/files/server/qubes-bind-dirs.d/50-sys-cacher.conf + - mode: '0644' - user: root - group: root - makedirs: True diff --git a/salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc b/salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc new file mode 100755 index 0000000..6693603 --- /dev/null +++ b/salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc @@ -0,0 +1,7 @@ +#!/bin/sh +# vim: ft=sh +# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +qvm-connect-tcp 8082:@default:8082 diff --git a/salt/sys-cacher/files/server/lib-qubes-bind-dirs.d/50-sys-cacher.conf b/salt/sys-cacher/files/server/lib-qubes-bind-dirs.d/50-sys-cacher.conf new file mode 100755 index 0000000..a03b188 --- /dev/null +++ b/salt/sys-cacher/files/server/lib-qubes-bind-dirs.d/50-sys-cacher.conf @@ -0,0 +1,9 @@ +#!/bin/bash + +# SPDX-FileCopyrightText: 2023 unman +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +binds+=( '/etc/anacrontab' ) + +# vim: ft=bash diff --git a/salt/sys-cacher/files/server/bind-dirs/50_cacher.conf b/salt/sys-cacher/files/server/qubes-bind-dirs.d/50-sys-cacher.conf similarity index 100% rename from salt/sys-cacher/files/server/bind-dirs/50_cacher.conf rename to salt/sys-cacher/files/server/qubes-bind-dirs.d/50-sys-cacher.conf diff --git a/salt/sys-cacher/files/server/qubes-firewall.d/50-sys-cacher b/salt/sys-cacher/files/server/qubes-firewall.d/50-sys-cacher new file mode 100755 index 0000000..ef0e870 --- /dev/null +++ b/salt/sys-cacher/files/server/qubes-firewall.d/50-sys-cacher @@ -0,0 +1,7 @@ +#!/bin/sh +# vim: ft=sh +# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +nft 'insert rule ip filter INPUT tcp dport 8082 counter accept' diff --git a/salt/sys-cacher/files/server/rc.local.d/50-sys-cacher.rc b/salt/sys-cacher/files/server/rc.local.d/50-sys-cacher.rc new file mode 100755 index 0000000..076df07 --- /dev/null +++ b/salt/sys-cacher/files/server/rc.local.d/50-sys-cacher.rc @@ -0,0 +1,11 @@ +#!/bin/sh +# vim: ft=sh +# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +chown -R apt-cacher-ng:apt-cacher-ng /var/log/apt-cacher-ng +chown -R apt-cacher-ng:apt-cacher-ng /var/cache/apt-cacher-ng +systemctl unmask qubes-apt-cacher-ng +systemctl --no-block restart qubes-apt-cacher-ng +nft 'insert rule ip filter INPUT tcp dport 8082 counter accept' diff --git a/salt/sys-cacher/install.sls b/salt/sys-cacher/install.sls index 516c8eb..01c854d 100644 --- a/salt/sys-cacher/install.sls +++ b/salt/sys-cacher/install.sls @@ -87,10 +87,13 @@ SPDX-License-Identifier: AGPL-3.0-or-later - user: root - group: root -"{{ slsdotpath }}-qubes-bind-dirs": - file.append: - - name: /usr/lib/qubes-bind-dirs.d/30_cron.conf - - text: "binds+=( ' /etc/anacrontab' )" +"{{ slsdotpath }}-lib-qubes-bind-dirs": + file.managed: + - name: /usr/lib/qubes-bind-dirs.d/50-sys-cacher.conf + - source: salt://{{ slsdotpath }}/files/server/lib-qubes-bind-dirs.d/50-sys-cacher.conf + - mode: '0644' + - user: root + - group: root "{{ slsdotpath }}-acng.conf": file.managed: diff --git a/salt/sys-pihole/configure-browser.sls b/salt/sys-pihole/configure-browser.sls index 8def661..25803bc 100644 --- a/salt/sys-pihole/configure-browser.sls +++ b/salt/sys-pihole/configure-browser.sls @@ -7,10 +7,14 @@ SPDX-License-Identifier: AGPL-3.0-or-later {% if grains['nodename'] != 'dom0' %} -"{{ slsdotpath }}-browser-rc.local": - file.append: - - name: /rw/config/rc.local - - text: "qvm-connect-tcp 80:@default:80" +"{{ slsdotpath }}-browser-auto-tcp-connect": + file.managed: + - name: /rw/config/rc.local.d/50-sys-pihole.rc + - source: salt://{{ slsdotpath }}/files/browser/rc.local.d/50-sys-pihole.rc + - mode: '0755' + - user: root + - group: root + - makedirs: True "{{ slsdotpath }}-browser-desktop-application": file.managed: diff --git a/salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc b/salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc new file mode 100755 index 0000000..02f54c8 --- /dev/null +++ b/salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc @@ -0,0 +1,7 @@ +#!/bin/sh +# vim: ft=sh +# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +qvm-connect-tcp 80:@default:80 diff --git a/salt/sys-rsync/configure.sls b/salt/sys-rsync/configure.sls index 5f4c5ed..b4aaf9f 100644 --- a/salt/sys-rsync/configure.sls +++ b/salt/sys-rsync/configure.sls @@ -9,9 +9,13 @@ include: - dev.home-cleanup "{{ slsdotpath }}-start-rsync-on-boot": - file.append: - - name: /rw/config/rc.local - - source: salt://{{ slsdotpath }}/files/server/rc.local + file.managed: + - name: /rw/config/rc.local.d/50-sys-rsync.rc + - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-rsync.rc + - mode: '0755' + - user: root + - group: root + - makedirs: True "{{ slsdotpath }}-creates-local-rsync-configuration-dir": file.directory: diff --git a/salt/sys-rsync/files/server/rc.local b/salt/sys-rsync/files/server/rc.local deleted file mode 100644 index 7f33c9a..0000000 --- a/salt/sys-rsync/files/server/rc.local +++ /dev/null @@ -1,2 +0,0 @@ -systemctl unmask rsync -systemctl --no-block restart rsync diff --git a/salt/sys-rsync/files/server/rc.local.d/50-sys-rsync.rc b/salt/sys-rsync/files/server/rc.local.d/50-sys-rsync.rc new file mode 100755 index 0000000..5bc7a99 --- /dev/null +++ b/salt/sys-rsync/files/server/rc.local.d/50-sys-rsync.rc @@ -0,0 +1,8 @@ +#!/bin/sh +# vim: ft=sh +# SPDX-FileCopyrightText: 2022 unman +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +systemctl unmask rsync +systemctl --no-block restart rsync diff --git a/salt/sys-ssh/configure.sls b/salt/sys-ssh/configure.sls index 9cd32fb..f356cd9 100644 --- a/salt/sys-ssh/configure.sls +++ b/salt/sys-ssh/configure.sls @@ -11,9 +11,13 @@ include: - dev.home-cleanup "{{ slsdotpath }}-start-ssh-on-boot": - file.append: - - name: /rw/config/rc.local - - source: salt://{{ slsdotpath }}/files/server/rc.local + file.managed: + - name: /rw/config/rc.local.d/50-sys-ssh.rc + - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-ssh.rc + - mode: '0755' + - user: root + - group: root + - makedirs: True "{{ slsdotpath }}-creates-home-ssh-dir": file.directory: diff --git a/salt/sys-ssh/files/server/rc.local b/salt/sys-ssh/files/server/rc.local deleted file mode 100644 index 6c2bafa..0000000 --- a/salt/sys-ssh/files/server/rc.local +++ /dev/null @@ -1,2 +0,0 @@ -systemctl unmask ssh -systemctl --no-block restart ssh diff --git a/salt/sys-ssh/files/server/rc.local.d/50-sys-ssh.rc b/salt/sys-ssh/files/server/rc.local.d/50-sys-ssh.rc new file mode 100755 index 0000000..76e253a --- /dev/null +++ b/salt/sys-ssh/files/server/rc.local.d/50-sys-ssh.rc @@ -0,0 +1,8 @@ +#!/bin/sh +# vim: ft=sh +# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +systemctl unmask ssh +systemctl --no-block restart ssh diff --git a/salt/sys-syncthing/cancel.sls b/salt/sys-syncthing/cancel.sls index a1c946e..d8e93a2 100644 --- a/salt/sys-syncthing/cancel.sls +++ b/salt/sys-syncthing/cancel.sls @@ -5,8 +5,5 @@ SPDX-License-Identifier: AGPL-3.0-or-later #} "{{ slsdotpath }}-remove-service-from-rc.local": - file.replace: - - name: /rw/config/rc.local - - pattern: 'systemctl.*unmask.*syncthing@user.service' - - repl: '' - - backup: False + file.absent: + - name: /rw/config/rc.local.d/50-sys-syncthing.rc diff --git a/salt/sys-syncthing/configure-browser.sls b/salt/sys-syncthing/configure-browser.sls index 9ff3cb9..42eac5d 100644 --- a/salt/sys-syncthing/configure-browser.sls +++ b/salt/sys-syncthing/configure-browser.sls @@ -7,9 +7,14 @@ SPDX-License-Identifier: AGPL-3.0-or-later {% if grains['nodename'] != 'dom0' %} "{{ slsdotpath }}-browser-rc.local": - file.append: - - name: /rw/config/rc.local - - text: "qvm-connect-tcp 8384:@default:8384" + file.managed: + - name: /rw/config/rc.local.d/50-sys-syncthing.rc + - source: salt://{{ slsdotpath }}/files/browser/rc.local.d/50-sys-syncthing.rc + - mode: '0755' + - user: root + - group: root + - makedirs: True + "{{ slsdotpath }}-browser-desktop-application": file.managed: diff --git a/salt/sys-syncthing/configure.sls b/salt/sys-syncthing/configure.sls index e2104fe..cc7679c 100644 --- a/salt/sys-syncthing/configure.sls +++ b/salt/sys-syncthing/configure.sls @@ -5,9 +5,11 @@ SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. SPDX-License-Identifier: AGPL-3.0-or-later #} -"{{ slsdotpath }}-append-to-rc.local": - file.append: - - name: /rw/config/rc.local - - text: | - systemctl unmask syncthing@user.service - systemctl --no-block restart syncthing@user.service +"{{ slsdotpath }}-rc.local": + file.managed: + - name: /rw/config/rc.local.d/50-sys-syncthing.rc + - source: salt://{{ slsdotpath }}/files/XXXXXXXXXXX/rc.local.d/50-sys-syncthing.rc + - mode: '0755' + - user: root + - group: root + - makedirs: True diff --git a/salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc b/salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc new file mode 100755 index 0000000..86e2956 --- /dev/null +++ b/salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc @@ -0,0 +1,7 @@ +#!/bin/sh +# vim: ft=sh +# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +qvm-connect-tcp 8384:@default:8384 diff --git a/salt/sys-syncthing/files/server/rc.local.d/50-sys-syncthing.rc b/salt/sys-syncthing/files/server/rc.local.d/50-sys-syncthing.rc new file mode 100755 index 0000000..7076b4b --- /dev/null +++ b/salt/sys-syncthing/files/server/rc.local.d/50-sys-syncthing.rc @@ -0,0 +1,8 @@ +#!/bin/sh +# vim: ft=sh +# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +systemctl unmask syncthing@user.service +systemctl --no-block restart syncthing@user.service diff --git a/salt/sys-wireguard/configure.sls b/salt/sys-wireguard/configure.sls index 5ae8b08..678a5db 100644 --- a/salt/sys-wireguard/configure.sls +++ b/salt/sys-wireguard/configure.sls @@ -14,37 +14,42 @@ SPDX-License-Identifier: AGPL-3.0-or-later - makedirs: True "{{ slsdotpath }}-rc.local": - file.append: - - name: /rw/config/rc.local - - text: wg-quick up /rw/config/vpn/wireguard.conf - -"{{ slsdotpath }}-add-config.sh": file.managed: - - name: /home/user/add-config.sh - - source: salt://{{ slsdotpath }}/files/server/add-config.sh + - name: /rw/config/rc.local.d/50-sys-wireguard.rc + - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-wireguard.rc + - user: root + - group: root + - mode: '0755' + - makedirs: True + +"{{ slsdotpath }}-wg-conf.sh": + file.managed: + - name: /home/user/wg-conf.sh + - source: salt://{{ slsdotpath }}/files/server/wg-conf.sh + - mode: '0755' - user: user - group: user - - mode: '0755' - - replace: True + - makedirs: True -"{{ slsdotpath }}-qubes-firewall-user-script": - file.append: - - name: /rw/config/qubes-firewall-user-script - - text: - - nft insert rule filter FORWARD tcp flags syn tcp option maxseg size set rt mtu - - nft insert rule filter FORWARD oifname eth0 drop - - nft insert rule filter FORWARD iifname eth0 drop +"{{ slsdotpath }}-firewall-filter": + file.managed: + - name: /rw/config/qubes-firewall.d/60-sys-wireguard-filter + - source: salt://{{ slsdotpath }}/files/server/qubes-firewall.d/60-sys-wireguard-filter + - mode: '0755' + - user: root + - group: root + - makedirs: True "{{ slsdotpath }}-firewall-flush": file.managed: - name: /rw/config/network-hooks.d/flush.sh - source: salt://{{ slsdotpath }}/files/server/flush.sh + - mode: '0755' - user: root - group: root - makedirs: True - - mode: '0755' -"{{ slsdotpath }}-set-firewall-flush-rules": +"{{ slsdotpath }}-firewall-flush-rules": file.managed: - name: /rw/config/network-hooks.d/flush - source: salt://{{ slsdotpath }}/files/server/flush diff --git a/salt/sys-wireguard/files/server/qubes-firewall.d/00-vpn.sh b/salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-pre similarity index 100% rename from salt/sys-wireguard/files/server/qubes-firewall.d/00-vpn.sh rename to salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-pre diff --git a/salt/sys-wireguard/files/server/qubes-firewall.d/60-sys-wireguard-filter b/salt/sys-wireguard/files/server/qubes-firewall.d/60-sys-wireguard-filter new file mode 100755 index 0000000..ed11cc3 --- /dev/null +++ b/salt/sys-wireguard/files/server/qubes-firewall.d/60-sys-wireguard-filter @@ -0,0 +1,10 @@ +#!/usr/bin/nft -f + +# SPDX-FileCopyrightText: 2022 unman +# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +insert rule filter FORWARD tcp flags syn tcp option maxseg size set rt mtu +insert rule filter FORWARD oifname eth0 drop +insert rule filter FORWARD iifname eth0 drop diff --git a/salt/sys-wireguard/files/server/rc.local.d/50-sys-wireguard.rc b/salt/sys-wireguard/files/server/rc.local.d/50-sys-wireguard.rc new file mode 100755 index 0000000..1274df1 --- /dev/null +++ b/salt/sys-wireguard/files/server/rc.local.d/50-sys-wireguard.rc @@ -0,0 +1,7 @@ +#!/bin/sh +# vim: ft=sh +# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +wg-quick up /rw/config/vpn/wireguard.conf diff --git a/salt/sys-wireguard/files/server/set-wg-conf.sh b/salt/sys-wireguard/files/server/wg-conf.sh similarity index 100% rename from salt/sys-wireguard/files/server/set-wg-conf.sh rename to salt/sys-wireguard/files/server/wg-conf.sh