Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2024-10-01 02:35:49 -04:00
Code Issues Packages Projects Releases Wiki Activity

refactor: move appended states to drop-in rc.local

Browse Source
This commit is contained in:
Ben Grande 2023-12-19 22:50:59 +01:00
parent 0751aff4b5
commit b4d142b640
38 changed files with 237 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
salt/ansible/configure-minion.sls
View File

@ -8,11 +8,12 @@ SPDX-License-Identifier: AGPL-3.0-or-later
"{{ slsdotpath }}-minion-start-sshd":
file.managed:
- name: /rw/config/rc.local
- source: salt://{{ slsdotpath }}/files/client/rc.local
- name: /rw/config/rc.local.d/50-ansible.rc
- source: salt://{{ slsdotpath }}/files/client/rc.local.d/50-ansible.rc
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-minion-ssh-authorized_keys":
file.touch:

5
salt/ansible/configure.sls
View File

@ -8,11 +8,12 @@ SPDX-License-Identifier: AGPL-3.0-or-later
"{{ slsdotpath }}-autostart-ssh-over-qrexec":
file.managed:
- name: /rw/config/rc.local
- source: salt://{{ slsdotpath }}/files/server/rc.local
- name: /rw/config/rc.local.d/50-ansible.rc
- source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-ansible.rc
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-ssh-config":
file.managed:

2
salt/ansible/files/client/rc.local
View File

@ -1,2 +0,0 @@
systemctl unmask ssh
systemctl --no-block start ssh

8
salt/ansible/files/client/rc.local.d/50-ansible.rc Executable file
View File

@ -0,0 +1,8 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
systemctl unmask ssh
systemctl --no-block start ssh

1
salt/ansible/files/server/rc.local
View File

@ -1 +0,0 @@
qvm-connect-tcp 22000:@default:22

7
salt/ansible/files/server/rc.local.d/50-ansible.rc Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
qvm-connect-tcp 22000:@default:22

13
salt/docker/configure.sls
View File

@ -7,11 +7,12 @@ SPDX-License-Identifier: AGPL-3.0-or-later
{% if grains['nodename'] != 'dom0' -%}
"{{ slsdotpath }}-rc.local":
file.append:
- name: /rw/config/rc.local
- text: |
usermod -aG docker user
systemctl unmask docker
systemctl --no-block restart docker
file.managed:
- name: /rw/config/rc.local.d/50-docker.rc
- source: salt://{{ slsdotpath }}/files/client/rc.local.d/50-docker.rc
- mode: '0755'
- user: root
- group: root
- makedirs: True
{% endif -%}

9
salt/docker/files/client/rc.local.d/50-docker.rc Executable file
View File

@ -0,0 +1,9 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
usermod -aG docker user
systemctl unmask docker
systemctl --no-block restart docker

14
salt/qubes-builder/configure-qubes-executor.sls
View File

@ -31,16 +31,20 @@ include:
"{{ slsdotpath }}-executor-bind-dirs":
file.managed:
- name: /rw/config/qubes-bind-dirs.d/builder.conf
- source: salt://{{ slsdotpath }}/files/server/builder.conf
- name: /rw/config/qubes-bind-dirs.d/50-qubes-builder.conf
- source: salt://{{ slsdotpath }}/files/server/qubes-bind-dirs.d/50-qubes-builder.conf
- user: root
- group: root
- mode: '0644'
- makedirs: True
"{{ slsdotpath }}-executor-rc.local":
file.append:
- name: /rw/config/rc.local
- text: "mount /builder -o dev,suid,remount"
file.managed:
- name: /rw/config/rc.local.d/50-qubes-builder.rc
- source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-qubes-builder.rc
- user: root
- group: root
- mode: '0755'
- makedirs: True
{% endif -%}

0
salt/qubes-builder/files/server/builder.conf → salt/qubes-builder/files/server/qubes-bind-dirs.d/50-qubes-builder.conf
View File

1
salt/qubes-builder/files/server/rc.local
View File

@ -1 +0,0 @@
mount /builder -o dev,suid,remount

7
salt/qubes-builder/files/server/rc.local.d/50-qubes-builder.rc Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 The Qubes OS Project <https://www.qubes-os.org>
#
# SPDX-License-Identifier: GPL-2.0-only
mount /builder -o dev,suid,remount

10
salt/sys-cacher/configure-browser.sls
View File

@ -7,9 +7,13 @@ SPDX-License-Identifier: AGPL-3.0-or-later
{% if grains['nodename'] != 'dom0' %}
"{{ slsdotpath }}-browser-rc.local":
file.append:
- name: /rw/config/rc.local
- text: "qvm-connect-tcp 8082:@default:8082"
file.managed:
- name: /rw/config/rc.local.d/50-sys-cacher.rc
- source: salt://{{ slsdotpath }}/files/browser/rc.local.d/50-sys-cacher.rc
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-browser-desktop-application":
file.managed:

32
salt/sys-cacher/configure.sls
View File

@ -10,24 +10,28 @@ include:
- dotfiles.copy-x11
"{{ slsdotpath }}-install-rc.local":
file.append:
- name: /rw/config/rc.local
- text: |
chown -R apt-cacher-ng:apt-cacher-ng /var/log/apt-cacher-ng
chown -R apt-cacher-ng:apt-cacher-ng /var/cache/apt-cacher-ng
systemctl unmask qubes-apt-cacher-ng
systemctl --no-block restart qubes-apt-cacher-ng
nft 'insert rule ip filter INPUT tcp dport 8082 counter accept'
file.managed:
- name: /rw/config/rc.local.d/50-sys-cacher.rc
- source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-cacher.rc
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-install-qubes-firewall-user-script":
file.append:
- name: /rw/config/qubes-firewall-user-script
- text: nft 'insert rule ip filter INPUT tcp dport 8082 counter accept'
"{{ slsdotpath }}-install-qubes-firewall":
file.managed:
- name: /rw/config/qubes-firewall.d/50-sys-cacher
- source: salt://{{ slsdotpath }}/files/server/qubes-firewall.d/50-sys-cacher
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-bind-dirs":
file.managed:
- name: /rw/config/qubes-bind-dirs.d/50_cacher.conf
- source: salt://{{ slsdotpath }}/files/server/bind-dirs/50_cacher.conf
- name: /rw/config/qubes-bind-dirs.d/50-sys-cacher.conf
- source: salt://{{ slsdotpath }}/files/server/qubes-bind-dirs.d/50-sys-cacher.conf
- mode: '0644'
- user: root
- group: root
- makedirs: True

7
salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
qvm-connect-tcp 8082:@default:8082

9
salt/sys-cacher/files/server/lib-qubes-bind-dirs.d/50-sys-cacher.conf Executable file
View File

@ -0,0 +1,9 @@
#!/bin/bash
# SPDX-FileCopyrightText: 2023 unman <unman@thirdeyesecurity.org>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
binds+=( '/etc/anacrontab' )
# vim: ft=bash

0
salt/sys-cacher/files/server/bind-dirs/50_cacher.conf → salt/sys-cacher/files/server/qubes-bind-dirs.d/50-sys-cacher.conf
View File

7
salt/sys-cacher/files/server/qubes-firewall.d/50-sys-cacher Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
nft 'insert rule ip filter INPUT tcp dport 8082 counter accept'

11
salt/sys-cacher/files/server/rc.local.d/50-sys-cacher.rc Executable file
View File

@ -0,0 +1,11 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
chown -R apt-cacher-ng:apt-cacher-ng /var/log/apt-cacher-ng
chown -R apt-cacher-ng:apt-cacher-ng /var/cache/apt-cacher-ng
systemctl unmask qubes-apt-cacher-ng
systemctl --no-block restart qubes-apt-cacher-ng
nft 'insert rule ip filter INPUT tcp dport 8082 counter accept'

11
salt/sys-cacher/install.sls
View File

@ -87,10 +87,13 @@ SPDX-License-Identifier: AGPL-3.0-or-later
- user: root
- group: root
"{{ slsdotpath }}-qubes-bind-dirs":
file.append:
- name: /usr/lib/qubes-bind-dirs.d/30_cron.conf
- text: "binds+=( ' /etc/anacrontab' )"
"{{ slsdotpath }}-lib-qubes-bind-dirs":
file.managed:
- name: /usr/lib/qubes-bind-dirs.d/50-sys-cacher.conf
- source: salt://{{ slsdotpath }}/files/server/lib-qubes-bind-dirs.d/50-sys-cacher.conf
- mode: '0644'
- user: root
- group: root
"{{ slsdotpath }}-acng.conf":
file.managed:

12
salt/sys-pihole/configure-browser.sls
View File

@ -7,10 +7,14 @@ SPDX-License-Identifier: AGPL-3.0-or-later
{% if grains['nodename'] != 'dom0' %}
"{{ slsdotpath }}-browser-rc.local":
file.append:
- name: /rw/config/rc.local
- text: "qvm-connect-tcp 80:@default:80"
"{{ slsdotpath }}-browser-auto-tcp-connect":
file.managed:
- name: /rw/config/rc.local.d/50-sys-pihole.rc
- source: salt://{{ slsdotpath }}/files/browser/rc.local.d/50-sys-pihole.rc
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-browser-desktop-application":
file.managed:

7
salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
qvm-connect-tcp 80:@default:80

10
salt/sys-rsync/configure.sls
View File

@ -9,9 +9,13 @@ include:
- dev.home-cleanup
"{{ slsdotpath }}-start-rsync-on-boot":
file.append:
- name: /rw/config/rc.local
- source: salt://{{ slsdotpath }}/files/server/rc.local
file.managed:
- name: /rw/config/rc.local.d/50-sys-rsync.rc
- source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-rsync.rc
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-creates-local-rsync-configuration-dir":
file.directory:

2
salt/sys-rsync/files/server/rc.local
View File

@ -1,2 +0,0 @@
systemctl unmask rsync
systemctl --no-block restart rsync

8
salt/sys-rsync/files/server/rc.local.d/50-sys-rsync.rc Executable file
View File

@ -0,0 +1,8 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
systemctl unmask rsync
systemctl --no-block restart rsync

10
salt/sys-ssh/configure.sls
View File

@ -11,9 +11,13 @@ include:
- dev.home-cleanup
"{{ slsdotpath }}-start-ssh-on-boot":
file.append:
- name: /rw/config/rc.local
- source: salt://{{ slsdotpath }}/files/server/rc.local
file.managed:
- name: /rw/config/rc.local.d/50-sys-ssh.rc
- source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-ssh.rc
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-creates-home-ssh-dir":
file.directory:

2
salt/sys-ssh/files/server/rc.local
View File

@ -1,2 +0,0 @@
systemctl unmask ssh
systemctl --no-block restart ssh

8
salt/sys-ssh/files/server/rc.local.d/50-sys-ssh.rc Executable file
View File

@ -0,0 +1,8 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
systemctl unmask ssh
systemctl --no-block restart ssh

7
salt/sys-syncthing/cancel.sls
View File

@ -5,8 +5,5 @@ SPDX-License-Identifier: AGPL-3.0-or-later
#}
"{{ slsdotpath }}-remove-service-from-rc.local":
file.replace:
- name: /rw/config/rc.local
- pattern: 'systemctl.*unmask.*syncthing@user.service'
- repl: ''
- backup: False
file.absent:
- name: /rw/config/rc.local.d/50-sys-syncthing.rc

11
salt/sys-syncthing/configure-browser.sls
View File

@ -7,9 +7,14 @@ SPDX-License-Identifier: AGPL-3.0-or-later
{% if grains['nodename'] != 'dom0' %}
"{{ slsdotpath }}-browser-rc.local":
file.append:
- name: /rw/config/rc.local
- text: "qvm-connect-tcp 8384:@default:8384"
file.managed:
- name: /rw/config/rc.local.d/50-sys-syncthing.rc
- source: salt://{{ slsdotpath }}/files/browser/rc.local.d/50-sys-syncthing.rc
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-browser-desktop-application":
file.managed:

14
salt/sys-syncthing/configure.sls
View File

@ -5,9 +5,11 @@ SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
#}
"{{ slsdotpath }}-append-to-rc.local":
file.append:
- name: /rw/config/rc.local
- text: |
systemctl unmask syncthing@user.service
systemctl --no-block restart syncthing@user.service
"{{ slsdotpath }}-rc.local":
file.managed:
- name: /rw/config/rc.local.d/50-sys-syncthing.rc
- source: salt://{{ slsdotpath }}/files/XXXXXXXXXXX/rc.local.d/50-sys-syncthing.rc
- mode: '0755'
- user: root
- group: root
- makedirs: True

7
salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
qvm-connect-tcp 8384:@default:8384

8
salt/sys-syncthing/files/server/rc.local.d/50-sys-syncthing.rc Executable file
View File

@ -0,0 +1,8 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
systemctl unmask syncthing@user.service
systemctl --no-block restart syncthing@user.service

41
salt/sys-wireguard/configure.sls
View File

@ -14,37 +14,42 @@ SPDX-License-Identifier: AGPL-3.0-or-later
- makedirs: True
"{{ slsdotpath }}-rc.local":
file.append:
- name: /rw/config/rc.local
- text: wg-quick up /rw/config/vpn/wireguard.conf
"{{ slsdotpath }}-add-config.sh":
file.managed:
- name: /home/user/add-config.sh
- source: salt://{{ slsdotpath }}/files/server/add-config.sh
- name: /rw/config/rc.local.d/50-sys-wireguard.rc
- source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-wireguard.rc
- user: root
- group: root
- mode: '0755'
- makedirs: True
"{{ slsdotpath }}-wg-conf.sh":
file.managed:
- name: /home/user/wg-conf.sh
- source: salt://{{ slsdotpath }}/files/server/wg-conf.sh
- mode: '0755'
- user: user
- group: user
- mode: '0755'
- replace: True
- makedirs: True
"{{ slsdotpath }}-qubes-firewall-user-script":
file.append:
- name: /rw/config/qubes-firewall-user-script
- text:
- nft insert rule filter FORWARD tcp flags syn tcp option maxseg size set rt mtu
- nft insert rule filter FORWARD oifname eth0 drop
- nft insert rule filter FORWARD iifname eth0 drop
"{{ slsdotpath }}-firewall-filter":
file.managed:
- name: /rw/config/qubes-firewall.d/60-sys-wireguard-filter
- source: salt://{{ slsdotpath }}/files/server/qubes-firewall.d/60-sys-wireguard-filter
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-firewall-flush":
file.managed:
- name: /rw/config/network-hooks.d/flush.sh
- source: salt://{{ slsdotpath }}/files/server/flush.sh
- mode: '0755'
- user: root
- group: root
- makedirs: True
- mode: '0755'
"{{ slsdotpath }}-set-firewall-flush-rules":
"{{ slsdotpath }}-firewall-flush-rules":
file.managed:
- name: /rw/config/network-hooks.d/flush
- source: salt://{{ slsdotpath }}/files/server/flush

0
salt/sys-wireguard/files/server/qubes-firewall.d/00-vpn.sh → salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-pre
View File

10
salt/sys-wireguard/files/server/qubes-firewall.d/60-sys-wireguard-filter Executable file
View File

@ -0,0 +1,10 @@
#!/usr/bin/nft -f
# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
insert rule filter FORWARD tcp flags syn tcp option maxseg size set rt mtu
insert rule filter FORWARD oifname eth0 drop
insert rule filter FORWARD iifname eth0 drop

7
salt/sys-wireguard/files/server/rc.local.d/50-sys-wireguard.rc Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# vim: ft=sh
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
wg-quick up /rw/config/vpn/wireguard.conf

0
salt/sys-wireguard/files/server/set-wg-conf.sh → salt/sys-wireguard/files/server/wg-conf.sh
View File