diff --git a/salt/mirage-builder/create.sls b/salt/mirage-builder/create.sls index ed3438a..7b37a8c 100644 --- a/salt/mirage-builder/create.sls +++ b/salt/mirage-builder/create.sls @@ -26,8 +26,6 @@ prefs: - autostart: False - include_in_backups: True features: -- enable: - - service.split-gpg2-client - disable: - service.cups - service.cups-browsed diff --git a/salt/mutt/create.sls b/salt/mutt/create.sls index 7652934..ab1f152 100644 --- a/salt/mutt/create.sls +++ b/salt/mutt/create.sls @@ -38,6 +38,7 @@ prefs: - autostart: False features: - enable: + - service.split-gpg2-client - service.shutdown-idle - disable: - service.cups diff --git a/salt/qubes-builder/README.md b/salt/qubes-builder/README.md index b8767ed..ea38a7c 100644 --- a/salt/qubes-builder/README.md +++ b/salt/qubes-builder/README.md @@ -54,8 +54,8 @@ qubesctl --skip-dom0 --targets=qubes-builder state.apply qubes-builder.configure ## Access Control The policy is based on `qubes-builderv2/rpc/50-qubesbuilder.policy`. -Extra services added are `qubes.Gpg`, `qubes.Gpg2`, `qusal.GitInit`, -`qusal.GitFetch`, `qusal.GitPush`, `qusal.SshAgent`. +Extra services added are `qubes.Gpg2`, `qusal.GitInit`, `qusal.GitFetch`, +`qusal.GitPush`, `qusal.SshAgent`. Out of these services, if an argument `+qubes-builder` can be specified to limit the scope, the action is `allowed`, else the action is to `ask`. diff --git a/salt/qubes-builder/create.sls b/salt/qubes-builder/create.sls index e2c1b54..72f2bf6 100644 --- a/salt/qubes-builder/create.sls +++ b/salt/qubes-builder/create.sls @@ -51,8 +51,8 @@ prefs: - vcpus: 4 - default_dispvm: dvm-{{ slsdotpath }} features: -# - enable: -# - service.split-gpg2-client +- enable: + - service.split-gpg2-client - disable: - service.cups - service.cups-browsed diff --git a/salt/qubes-builder/files/admin/policy/default.policy b/salt/qubes-builder/files/admin/policy/default.policy index 52f6bd7..a0d669c 100644 --- a/salt/qubes-builder/files/admin/policy/default.policy +++ b/salt/qubes-builder/files/admin/policy/default.policy @@ -5,7 +5,6 @@ ## Do not modify this file, create a new policy with with a lower number in the ## file name instead. For example `30-user.policy`. qubes.Gpg2 * {{ sls_path }} @default ask target=sys-pgp -qubes.Gpg * {{ sls_path }} @default ask target=sys-pgp qusal.GitInit +qubes-builder {{ sls_path }} @default allow target=sys-git qusal.GitFetch +qubes-builder {{ sls_path }} @default allow target=sys-git diff --git a/salt/sys-git/create.sls b/salt/sys-git/create.sls index 103bc25..b7d4450 100644 --- a/salt/sys-git/create.sls +++ b/salt/sys-git/create.sls @@ -30,9 +30,6 @@ features: - disable: - service.cups - service.cups-browsed -# tags: -# - add: -# - split-gpg2-client {%- endload %} {{ load(defaults) }} diff --git a/salt/sys-pgp/README.md b/salt/sys-pgp/README.md index 3f4fffa..3ca8f8a 100644 --- a/salt/sys-pgp/README.md +++ b/salt/sys-pgp/README.md @@ -53,10 +53,6 @@ Allow the `work` qubes to access `sys-pgp`, but not other qubes: qubes.Gpg2 * work sys-pgp ask default_target=sys-pgp qubes.Gpg2 * work @default ask target=sys-pgp default_target=sys-pgp qubes.Gpg2 * @anyvm @anyvm deny - -qubes.Gpg * work sys-pgp ask default_target=sys-pgp -qubes.Gpg * work @default ask target=sys-pgp default_target=sys-pgp -qubes.Gpg * @anyvm @anyvm deny ``` ## Usage diff --git a/salt/sys-pgp/files/admin/policy/default.policy b/salt/sys-pgp/files/admin/policy/default.policy index d31c00e..187f7bd 100644 --- a/salt/sys-pgp/files/admin/policy/default.policy +++ b/salt/sys-pgp/files/admin/policy/default.policy @@ -6,6 +6,4 @@ ## file name instead. For example `30-user.policy`. qubes.Gpg2 * @anyvm @default ask target={{ sls_path }} default_target={{ sls_path }} qubes.Gpg2 * @anyvm @anyvm deny -qubes.Gpg * @anyvm @default ask target={{ sls_path }} default_target={{ sls_path }} -qubes.Gpg * @anyvm @anyvm deny ## vim:ft=qrexecpolicy