refactor: move appended states to drop-in rc.local

salt/ansible/configure-minion.sls

@@ -8,11 +8,12 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 "{{ slsdotpath }}-minion-start-sshd":
   file.managed:
-    - name: /rw/config/rc.local
+    - name: /rw/config/rc.local.d/50-ansible.rc
-    - source: salt://{{ slsdotpath }}/files/client/rc.local
+    - source: salt://{{ slsdotpath }}/files/client/rc.local.d/50-ansible.rc
     - mode: '0755'
     - user: root
     - group: root
+    - makedirs: True
 
 "{{ slsdotpath }}-minion-ssh-authorized_keys":
   file.touch:

salt/ansible/configure.sls

@@ -8,11 +8,12 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 "{{ slsdotpath }}-autostart-ssh-over-qrexec":
   file.managed:
-    - name: /rw/config/rc.local
+    - name: /rw/config/rc.local.d/50-ansible.rc
-    - source: salt://{{ slsdotpath }}/files/server/rc.local
+    - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-ansible.rc
     - mode: '0755'
     - user: root
     - group: root
+    - makedirs: True
 
 "{{ slsdotpath }}-ssh-config":
   file.managed:

salt/ansible/files/client/rc.local

@@ -1,2 +0,0 @@
-systemctl unmask ssh
-systemctl --no-block start ssh

salt/ansible/files/client/rc.local.d/50-ansible.rc

@@ -0,0 +1,8 @@
+#!/bin/sh
+# vim: ft=sh
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+systemctl unmask ssh
+systemctl --no-block start ssh

salt/ansible/files/server/rc.local

@@ -1 +0,0 @@
-qvm-connect-tcp 22000:@default:22

salt/ansible/files/server/rc.local.d/50-ansible.rc

@@ -0,0 +1,7 @@
+#!/bin/sh
+# vim: ft=sh
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+qvm-connect-tcp 22000:@default:22

salt/docker/configure.sls

@@ -7,11 +7,12 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 {% if grains['nodename'] != 'dom0' -%}
 
 "{{ slsdotpath }}-rc.local":
-  file.append:
+  file.managed:
-    - name: /rw/config/rc.local
+    - name: /rw/config/rc.local.d/50-docker.rc
-    - text: |
+    - source: salt://{{ slsdotpath }}/files/client/rc.local.d/50-docker.rc
-        usermod -aG docker user
+    - mode: '0755'
-        systemctl unmask docker
+    - user: root
-        systemctl --no-block restart docker
+    - group: root
+    - makedirs: True
 
 {% endif -%}

salt/docker/files/client/rc.local.d/50-docker.rc

@@ -0,0 +1,9 @@
+#!/bin/sh
+# vim: ft=sh
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+usermod -aG docker user
+systemctl unmask docker
+systemctl --no-block restart docker

salt/qubes-builder/configure-qubes-executor.sls

@@ -31,16 +31,20 @@ include:
 
 "{{ slsdotpath }}-executor-bind-dirs":
   file.managed:
-    - name: /rw/config/qubes-bind-dirs.d/builder.conf
+    - name: /rw/config/qubes-bind-dirs.d/50-qubes-builder.conf
-    - source: salt://{{ slsdotpath }}/files/server/builder.conf
+    - source: salt://{{ slsdotpath }}/files/server/qubes-bind-dirs.d/50-qubes-builder.conf
     - user: root
     - group: root
     - mode: '0644'
     - makedirs: True
 
 "{{ slsdotpath }}-executor-rc.local":
-  file.append:
+  file.managed:
-    - name: /rw/config/rc.local
+    - name: /rw/config/rc.local.d/50-qubes-builder.rc
-    - text: "mount /builder -o dev,suid,remount"
+    - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-qubes-builder.rc
+    - user: root
+    - group: root
+    - mode: '0755'
+    - makedirs: True
 
 {% endif -%}

salt/qubes-builder/files/server/rc.local

@@ -1 +0,0 @@
-mount /builder -o dev,suid,remount

salt/qubes-builder/files/server/rc.local.d/50-qubes-builder.rc

@@ -0,0 +1,7 @@
+#!/bin/sh
+# vim: ft=sh
+# SPDX-FileCopyrightText: 2023 The Qubes OS Project <https://www.qubes-os.org>
+#
+# SPDX-License-Identifier: GPL-2.0-only
+
+mount /builder -o dev,suid,remount

salt/sys-cacher/configure-browser.sls

@@ -7,9 +7,13 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 {% if grains['nodename'] != 'dom0' %}
 
 "{{ slsdotpath }}-browser-rc.local":
-  file.append:
+  file.managed:
-    - name: /rw/config/rc.local
+    - name: /rw/config/rc.local.d/50-sys-cacher.rc
-    - text: "qvm-connect-tcp 8082:@default:8082"
+    - source: salt://{{ slsdotpath }}/files/browser/rc.local.d/50-sys-cacher.rc
+    - mode: '0755'
+    - user: root
+    - group: root
+    - makedirs: True
 
 "{{ slsdotpath }}-browser-desktop-application":
   file.managed:

salt/sys-cacher/configure.sls

@@ -10,24 +10,28 @@ include:
   - dotfiles.copy-x11
 
 "{{ slsdotpath }}-install-rc.local":
-  file.append:
+  file.managed:
-    - name: /rw/config/rc.local
+    - name: /rw/config/rc.local.d/50-sys-cacher.rc
-    - text: |
+    - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-cacher.rc
-        chown -R apt-cacher-ng:apt-cacher-ng /var/log/apt-cacher-ng
+    - mode: '0755'
-        chown -R apt-cacher-ng:apt-cacher-ng /var/cache/apt-cacher-ng
+    - user: root
-        systemctl unmask qubes-apt-cacher-ng
+    - group: root
-        systemctl --no-block restart qubes-apt-cacher-ng
+    - makedirs: True
-        nft 'insert rule ip filter INPUT tcp dport 8082 counter accept'
 
-"{{ slsdotpath }}-install-qubes-firewall-user-script":
+"{{ slsdotpath }}-install-qubes-firewall":
-  file.append:
+  file.managed:
-    - name: /rw/config/qubes-firewall-user-script
+    - name: /rw/config/qubes-firewall.d/50-sys-cacher
-    - text: nft 'insert rule ip filter INPUT tcp dport 8082 counter accept'
+    - source: salt://{{ slsdotpath }}/files/server/qubes-firewall.d/50-sys-cacher
+    - mode: '0755'
+    - user: root
+    - group: root
+    - makedirs: True
 
 "{{ slsdotpath }}-bind-dirs":
   file.managed:
-    - name: /rw/config/qubes-bind-dirs.d/50_cacher.conf
+    - name: /rw/config/qubes-bind-dirs.d/50-sys-cacher.conf
-    - source: salt://{{ slsdotpath }}/files/server/bind-dirs/50_cacher.conf
+    - source: salt://{{ slsdotpath }}/files/server/qubes-bind-dirs.d/50-sys-cacher.conf
+    - mode: '0644'
     - user: root
     - group: root
     - makedirs: True

salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc

@@ -0,0 +1,7 @@
+#!/bin/sh
+# vim: ft=sh
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+qvm-connect-tcp 8082:@default:8082

salt/sys-cacher/files/server/lib-qubes-bind-dirs.d/50-sys-cacher.conf

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# SPDX-FileCopyrightText: 2023 unman <unman@thirdeyesecurity.org>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+binds+=( '/etc/anacrontab' )
+
+# vim: ft=bash

salt/sys-cacher/files/server/qubes-firewall.d/50-sys-cacher

@@ -0,0 +1,7 @@
+#!/bin/sh
+# vim: ft=sh
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+nft 'insert rule ip filter INPUT tcp dport 8082 counter accept'

salt/sys-cacher/files/server/rc.local.d/50-sys-cacher.rc

@@ -0,0 +1,11 @@
+#!/bin/sh
+# vim: ft=sh
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+chown -R apt-cacher-ng:apt-cacher-ng /var/log/apt-cacher-ng
+chown -R apt-cacher-ng:apt-cacher-ng /var/cache/apt-cacher-ng
+systemctl unmask qubes-apt-cacher-ng
+systemctl --no-block restart qubes-apt-cacher-ng
+nft 'insert rule ip filter INPUT tcp dport 8082 counter accept'

salt/sys-cacher/install.sls

@@ -87,10 +87,13 @@ SPDX-License-Identifier: AGPL-3.0-or-later
     - user: root
     - group: root
 
-"{{ slsdotpath }}-qubes-bind-dirs":
+"{{ slsdotpath }}-lib-qubes-bind-dirs":
-  file.append:
+  file.managed:
-    - name: /usr/lib/qubes-bind-dirs.d/30_cron.conf
+    - name: /usr/lib/qubes-bind-dirs.d/50-sys-cacher.conf
-    - text: "binds+=( ' /etc/anacrontab' )"
+    - source: salt://{{ slsdotpath }}/files/server/lib-qubes-bind-dirs.d/50-sys-cacher.conf
+    - mode: '0644'
+    - user: root
+    - group: root
 
 "{{ slsdotpath }}-acng.conf":
   file.managed:

salt/sys-pihole/configure-browser.sls

@@ -7,10 +7,14 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 {% if grains['nodename'] != 'dom0' %}
 
-"{{ slsdotpath }}-browser-rc.local":
+"{{ slsdotpath }}-browser-auto-tcp-connect":
-  file.append:
+  file.managed:
-    - name: /rw/config/rc.local
+    - name: /rw/config/rc.local.d/50-sys-pihole.rc
-    - text: "qvm-connect-tcp 80:@default:80"
+    - source: salt://{{ slsdotpath }}/files/browser/rc.local.d/50-sys-pihole.rc
+    - mode: '0755'
+    - user: root
+    - group: root
+    - makedirs: True
 
 "{{ slsdotpath }}-browser-desktop-application":
   file.managed:

salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc

@@ -0,0 +1,7 @@
+#!/bin/sh
+# vim: ft=sh
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+qvm-connect-tcp 80:@default:80

salt/sys-rsync/configure.sls

@@ -9,9 +9,13 @@ include:
   - dev.home-cleanup
 
 "{{ slsdotpath }}-start-rsync-on-boot":
-  file.append:
+  file.managed:
-    - name: /rw/config/rc.local
+    - name: /rw/config/rc.local.d/50-sys-rsync.rc
-    - source: salt://{{ slsdotpath }}/files/server/rc.local
+    - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-rsync.rc
+    - mode: '0755'
+    - user: root
+    - group: root
+    - makedirs: True
 
 "{{ slsdotpath }}-creates-local-rsync-configuration-dir":
   file.directory:

salt/sys-rsync/files/server/rc.local

@@ -1,2 +0,0 @@
-systemctl unmask rsync
-systemctl --no-block restart rsync

salt/sys-rsync/files/server/rc.local.d/50-sys-rsync.rc

@@ -0,0 +1,8 @@
+#!/bin/sh
+# vim: ft=sh
+# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+systemctl unmask rsync
+systemctl --no-block restart rsync

salt/sys-ssh/configure.sls

@@ -11,9 +11,13 @@ include:
   - dev.home-cleanup
 
 "{{ slsdotpath }}-start-ssh-on-boot":
-  file.append:
+  file.managed:
-    - name: /rw/config/rc.local
+    - name: /rw/config/rc.local.d/50-sys-ssh.rc
-    - source: salt://{{ slsdotpath }}/files/server/rc.local
+    - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-ssh.rc
+    - mode: '0755'
+    - user: root
+    - group: root
+    - makedirs: True
 
 "{{ slsdotpath }}-creates-home-ssh-dir":
   file.directory:

salt/sys-ssh/files/server/rc.local

@@ -1,2 +0,0 @@
-systemctl unmask ssh
-systemctl --no-block restart ssh

salt/sys-ssh/files/server/rc.local.d/50-sys-ssh.rc

@@ -0,0 +1,8 @@
+#!/bin/sh
+# vim: ft=sh
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+systemctl unmask ssh
+systemctl --no-block restart ssh

salt/sys-syncthing/cancel.sls

@@ -5,8 +5,5 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
 "{{ slsdotpath }}-remove-service-from-rc.local":
-  file.replace:
+  file.absent:
-    - name: /rw/config/rc.local
+    - name: /rw/config/rc.local.d/50-sys-syncthing.rc
-    - pattern: 'systemctl.*unmask.*syncthing@user.service'
-    - repl: ''
-    - backup: False

salt/sys-syncthing/configure-browser.sls

@@ -7,9 +7,14 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 {% if grains['nodename'] != 'dom0' %}
 
 "{{ slsdotpath }}-browser-rc.local":
-  file.append:
+  file.managed:
-    - name: /rw/config/rc.local
+    - name: /rw/config/rc.local.d/50-sys-syncthing.rc
-    - text: "qvm-connect-tcp 8384:@default:8384"
+    - source: salt://{{ slsdotpath }}/files/browser/rc.local.d/50-sys-syncthing.rc
+    - mode: '0755'
+    - user: root
+    - group: root
+    - makedirs: True
+
 
 "{{ slsdotpath }}-browser-desktop-application":
   file.managed:

salt/sys-syncthing/configure.sls

@@ -5,9 +5,11 @@ SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-"{{ slsdotpath }}-append-to-rc.local":
+"{{ slsdotpath }}-rc.local":
-  file.append:
+  file.managed:
-    - name: /rw/config/rc.local
+    - name: /rw/config/rc.local.d/50-sys-syncthing.rc
-    - text: |
+    - source: salt://{{ slsdotpath }}/files/XXXXXXXXXXX/rc.local.d/50-sys-syncthing.rc
-        systemctl unmask syncthing@user.service
+    - mode: '0755'
-        systemctl --no-block restart  syncthing@user.service
+    - user: root
+    - group: root
+    - makedirs: True

salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc

@@ -0,0 +1,7 @@
+#!/bin/sh
+# vim: ft=sh
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+qvm-connect-tcp 8384:@default:8384

salt/sys-syncthing/files/server/rc.local.d/50-sys-syncthing.rc

@@ -0,0 +1,8 @@
+#!/bin/sh
+# vim: ft=sh
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+systemctl unmask syncthing@user.service
+systemctl --no-block restart syncthing@user.service

salt/sys-wireguard/configure.sls

@@ -14,37 +14,42 @@ SPDX-License-Identifier: AGPL-3.0-or-later
     - makedirs: True
 
 "{{ slsdotpath }}-rc.local":
-  file.append:
-    - name: /rw/config/rc.local
-    - text: wg-quick up /rw/config/vpn/wireguard.conf
-
-"{{ slsdotpath }}-add-config.sh":
   file.managed:
-    - name: /home/user/add-config.sh
+    - name: /rw/config/rc.local.d/50-sys-wireguard.rc
-    - source: salt://{{ slsdotpath }}/files/server/add-config.sh
+    - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-wireguard.rc
+    - user: root
+    - group: root
+    - mode: '0755'
+    - makedirs: True
+
+"{{ slsdotpath }}-wg-conf.sh":
+  file.managed:
+    - name: /home/user/wg-conf.sh
+    - source: salt://{{ slsdotpath }}/files/server/wg-conf.sh
+    - mode: '0755'
     - user: user
     - group: user
-    - mode: '0755'
+    - makedirs: True
-    - replace: True
 
-"{{ slsdotpath }}-qubes-firewall-user-script":
+"{{ slsdotpath }}-firewall-filter":
-  file.append:
+  file.managed:
-    - name: /rw/config/qubes-firewall-user-script
+    - name: /rw/config/qubes-firewall.d/60-sys-wireguard-filter
-    - text:
+    - source: salt://{{ slsdotpath }}/files/server/qubes-firewall.d/60-sys-wireguard-filter
-      - nft insert rule filter FORWARD tcp flags syn tcp option maxseg size set rt mtu
+    - mode: '0755'
-      - nft insert rule filter FORWARD oifname eth0 drop
+    - user: root
-      - nft insert rule filter FORWARD iifname eth0 drop
+    - group: root
+    - makedirs: True
 
 "{{ slsdotpath }}-firewall-flush":
   file.managed:
     - name: /rw/config/network-hooks.d/flush.sh
     - source: salt://{{ slsdotpath }}/files/server/flush.sh
+    - mode: '0755'
     - user: root
     - group: root
     - makedirs: True
-    - mode: '0755'
 
-"{{ slsdotpath }}-set-firewall-flush-rules":
+"{{ slsdotpath }}-firewall-flush-rules":
   file.managed:
     - name: /rw/config/network-hooks.d/flush
     - source: salt://{{ slsdotpath }}/files/server/flush

salt/sys-wireguard/files/server/qubes-firewall.d/60-sys-wireguard-filter

@@ -0,0 +1,10 @@
+#!/usr/bin/nft -f
+
+# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+insert rule filter FORWARD tcp flags syn tcp option maxseg size set rt mtu
+insert rule filter FORWARD oifname eth0 drop
+insert rule filter FORWARD iifname eth0 drop

salt/sys-wireguard/files/server/rc.local.d/50-sys-wireguard.rc

@@ -0,0 +1,7 @@
+#!/bin/sh
+# vim: ft=sh
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+wg-quick up /rw/config/vpn/wireguard.conf