Hey ou

Yest you
Aha
You yesah

.editorconfig

@@ -0,0 +1,20 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = true
+insert_final_newline = true
+charset = utf-8
+end_of_line = lf
+
+[**/git/**/config]
+indent_style = tab
+indent_size = 8
+
+[*.{md,sh,yaml,yml,toml}]
+indent_size = 2

.gitattributes

@@ -0,0 +1,5 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: CC0-1.0
+
+* text=auto eol=lf

.gitignore

@@ -1,4 +1,3 @@
-# vim: nospell
 # SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: CC0-1.0

.gitlint

@@ -0,0 +1,41 @@
+# vim: ft=toml
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: CC0-1.0
+
+[general]
+verbosity=3
+ignore=body-is-missing
+ignore-merge-commits=true
+ignore-revert-commits=true
+ignore-fixup-commits=false
+ignore-fixup-amend-commits=false
+ignore-squash-commits=false
+fail-without-commits=true
+regex-style-search=true
+debug=false
+contrib=contrib-title-conventional-commits,contrib-body-requires-signed-off-by,contrib-allowed-authors
+
+[title-max-length]
+line-length=50
+
+[title-min-length]
+min-length=10
+
+[title-must-not-contain-word]
+words=wip
+
+[body-max-line-length]
+line-length=72
+
+[body-min-length]
+min-length=20
+
+[body-is-missing]
+ignore-merge-commits=false
+
+[ignore-body-lines]
+regex=(^Co-Authored-By)|(^Reported-by)|(^Signed-off-by)
+
+[contrib-title-conventional-commits]
+types = fix,feat,build,chore,ci,doc,style,refactor,perf,test

.pre-commit-config.yaml

@@ -11,8 +11,25 @@ repos:
         entry: scripts/salt-lint.sh
         language: script
         pass_filenames: false
+        description: Lint Salt files
       - id: shellcheck
         name: shellcheck
         entry: scripts/shell-lint.sh
         language: script
         pass_filenames: false
+        description: Lint Shellscripts
+      - id: gitlint
+        name: gitlint
+        language: python
+        additional_dependencies: ["./gitlint-core[trusted-deps]"]
+        entry: gitlint
+        args: [--staged, --msg-filename]
+        stages: [commit-msg]
+        description: Lint Git commits
+      - id: reuse
+        name: reuse
+        entry: reuse
+        args: ["lint"]
+        language: python
+        pass_filenames: false
+        description: Lint files to comply with the REUSE Specification

.pre-commit-hooks.yaml

@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2020 Liferay, Inc. <https://liferay.com>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-
----
-- id: reuse
-  name: reuse
-  entry: reuse
-  args: ["lint"]
-  language: python
-  pass_filenames: false
-  description: "Lint the project for compliance with the REUSE Specification"

.reuse/dep5

@@ -3,10 +3,14 @@ Upstream-Name: qusal
 Upstream-Contact: Benjamin Grande M. S. <ben.grande.b@gmail.com>
 Source: https://github.com/ben-grande/qusal
 
-Files: README.md CONTRIBUTING.md */README.md
+Files: AUTHORS.md CONTRIBUTING.md README.md */README.md
 Copyright: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 License: CC-BY-SA-4.0
 
+Files: */rc.local
+Copyright: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+License: GPL-3.0-or-later
+
 Files: qusal/sys-mirage-firewall/files/admin/mirage-firewall.tar.bz2
        qusal/sys-mirage-firewall/files/admin/mirage-firewall.sha256
        qusal/sys-mirage-firewall/files/admin/version.txt

.yamllint

@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+---
+
+extends: 'default'
+
+ignore: |
+  .git/
+
+yaml-files:
+  - '*.yaml'
+  - '*.yml'
+  - .salt-lint
+  - .yamllint
+
+rules:
+  empty-values:
+    forbid-in-block-mappings: true
+    forbid-in-flow-mappings: true
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
+
+# vim: ft=yaml

AUTHORS.md

@@ -0,0 +1 @@
+Ben Grande <ben.grande.b@gmail.com>

CONTRIBUTING.md

@@ -1,7 +1,8 @@
-# Contributing to Qusal
+# Contributing
 
 ## Table of Contents
 
+* [Respect](#respect)
 * [Format](#format)
   * [File naming](#file-naming)
   * [State ID](#state-id)
@@ -9,6 +10,10 @@
   * [Qube naming](#qube-naming)
   * [Qrexec](#qrexec)
 
+## Respect
+
+Be respectful towards peers.
+
 ## Format
 
 ### File naming
@@ -35,7 +40,7 @@
    Table of Contents, Description, Installation, Access Control (if changed
    Qrexec policy), Usage.
 
-### Qube naming
+### Qube preferences
 
 1. Qube name format:
 
@@ -46,24 +51,25 @@
   - DispVM Template (AppVM): `dvm-NAME`
   - Service qubes (not a class): `sys-NAME`
 
-2. Label/Color:
+2. **Label/Color**:
 
-  - *Black* (Ultimately trusted): You must trust Dom0, Templates, Vaults,
+  - **Black** (Ultimately trusted): You must trust Dom0, Templates, Vaults,
     Management qubes, these qubes control your system and hold valuable
     information. Examples: dom0, tpl-ssh, vault, default-mgmt-dvm.
-  - *Gray* (Fully trusted): Trusted storage with extra RPC services that allow
+  - **Gray** (Fully trusted): Trusted storage with extra RPC services that allow
     certain operations to be made by the client and executed on the server or
     may build components for other qubes. Examples: sys-cacher, sys-git,
     sys-pgp, sys-ssh-agent, qubes-builder.
-  - *Purple* (Much trust): Has the ability to manager remote servers via
-    encrypted connections and depend on authorization provided by another qube.
+  - **Purple** (Much trust): Has the ability to manager remote servers via
+    encrypted connections and depend on authorization provided by another
+    qube.
     Examples: ansible, dev, ssh, terraform.
-  - *Blue* (Very trusted): TODO
-  - *Green* (Trusted): TODO
-  - *Yellow* (Relatively trusted): TODO
-  - *Orange* (Slightly trusted): Controls the network flow of data to the
+  - **Blue** (Very trusted): TODO
+  - **Green** (Trusted): TODO
+  - **Yellow** (Relatively trusted): TODO
+  - **Orange** (Slightly trusted): Controls the network flow of data to the
     client, normally a firewall. Examples: sys-firewall, sys-vpn, sys-pihole.
-  - *Red* (Untrusted): Holds untrusted data (PCI devices, untrusted programs,
+  - **Red** (Untrusted): Holds untrusted data (PCI devices, untrusted programs,
     disposables for opening untrusted files or web pages). Examples: sys-net,
     sys-usb, dvm-browser.
 

_modules/qvm_tags.py

@@ -0,0 +1,29 @@
+#!/usr/bin/env python3
+## TOOD: test usability
+
+# SPDX-FileCopyrightText: 2016 Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+# SPDX-FileCopyrightText: 2019 Brian C. Duggan <https://gist.github.com/bcduggan>
+# SPDX-FileCopyrightText: 2023 Gonzalo Bulnes Guilpain <gon.bulnes@fastmail.com>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+admin_available = True
+try:
+    import qubesadmin
+    import qubesadmin.vm
+except ImportError:
+    admin_available = False
+
+
+def __virtual__():
+    return admin_available
+
+
+def ext_pillar(minion_id, pillar, *args, **kwargs):
+    app = qubesadmin.Qubes()
+    try:
+        vm = app.domains[minion_id]
+    except KeyError:
+        return {}
+
+    return {'qubes': { 'tags': list(vm.tags) } }

qusal/ansible/files/client/rc.local

@@ -1,8 +1,2 @@
-#!/bin/sh
-
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-
 systemctl unmask ssh
 systemctl --no-block start ssh

qusal/ansible/files/server/rc.local

@@ -1,7 +1 @@
-#!/bin/sh
-
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-
 qvm-connect-tcp 22000:@default:22

qusal/dev/create.sls

@@ -32,6 +32,12 @@ features:
 - disable:
   - service.cups
   - service.cups-browsed
+{% if salt['qvm.exists']('sys-cacher') %}
+tags:
+- add:
+  - sys-cacher-updatevm
+{% endif %}
+{% endif -%}
 {%- endload %}
 {{ load(defaults) }}
 

qusal/dev/install-python-tools.sls

@@ -6,11 +6,11 @@ SPDX-License-Identifier: GPL-3.0-or-later
 
 {% if grains['nodename'] != 'dom0' -%}
 
-"{{ slsdotpath }}-updated-network":
+"{{ slsdotpath }}-updated-python-tools":
   pkg.uptodate:
     - refresh: True
 
-"{{ slsdotpath }}-installed-network":
+"{{ slsdotpath }}-installed-python-tools":
   pkg.installed:
     - refresh: True
     - install_recommends: False

qusal/dev/install-salt-tools.sls

@@ -17,7 +17,6 @@ SPDX-License-Identifier: GPL-3.0-or-later
     - skip_suggestions: True
     - pkgs:
       - python3-pip
-      - yamllint
       - ansible-lint
 
 {% set pkg = {

qusal/dev/install.sls

@@ -7,6 +7,9 @@ SPDX-License-Identifier: GPL-3.0-or-later
 {% if grains['nodename'] != 'dom0' -%}
 
 include:
+  {%- if salt['qvm.exists']('sys-cacher') %}
+  - sys-cacher.install-client
+  {% endif %}
   - .home-cleanup
   - .install-python-tools
   - .install-salt-tools
@@ -26,11 +29,13 @@ include:
     - install_recommends: False
     - skip_suggestions: True
     - pkgs:
+      ## Necessary
       - qubes-core-agent-passwordless-root
       - qubes-core-agent-networking
       - ca-certificates
       - git
       - gnupg2
+      ## Usability
       - tmux
       - xclip
       - bash-completion
@@ -38,11 +43,15 @@ include:
       - texinfo
       - file
       - tree
-      - reuse
-      - pre-commit
-      - gitlint
       - ripgrep
       - fzf
+      ## Lint
+      - pre-commit
+      - precious
+      - reuse
+      - gitlint
+      - pylint
+      - yamllint
 
 {% set pkg = {
     'Debian': {

qusal/docker/install-repo.sls

@@ -0,0 +1,58 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: GPL-3.0-or-later
+#}
+
+{% if grains['nodename'] != 'dom0' -%}
+
+{% from 'utils/macros/install-repo.sls' import install_repo -%}
+{{ install_repo(sls_path, 'docker') }}
+
+"{{ slsdotpath }}-updated":
+  pkg.uptodate:
+    - refresh: True
+
+{% set pkg = {
+    'Debian': {
+      'pkg_removed': ['docker.io', 'docker-doc', 'docker-compose',
+                      'podman-docker', 'containerd', 'runc'],
+    },
+    'RedHat': {
+      'pkg_removed': ['docker', 'docker-client', 'docker-client-latest',
+                      'docker-common', 'docker-latest',
+                      'docker-latest-logrotate', 'docker-logrotate',
+                      'docker-selinux', 'docker-engine-selinux',
+                      'docker-engine'],
+    },
+}.get(grains.os_family) -%}
+
+{#
+"{{ slsdotpath }}-removed-os-specific":
+  pkg.removed:
+    - pkgs: {{ pkg.pkg_removed|sequence|yaml }}
+#}
+
+"{{ slsdotpath }}-installed":
+  pkg.installed:
+    - refresh: True
+    - install_recommends: False
+    - skip_suggestions: True
+    - pkgs:
+      - qubes-core-agent-networking
+      - man-db
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+      - docker-buildx-plugin
+      - docker-compose-plugin
+
+"{{ slsdotpath }}-user-in-docker-group":
+  user.present:
+    - name: user
+    - groups:
+      - user
+      - qubes
+      - docker
+
+{% endif -%}

qusal/docker/install-repo.top

@@ -0,0 +1,9 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: GPL-3.0-or-later
+#}
+
+base:
+  'tpl-qubes-builder':
+    - docker.install-repo

qusal/qubes-builder/files/server/rc.local

@@ -1,5 +1 @@
-# SPDX-FileCopyrightText: 2023 The Qubes OS Project <https://www.qubes-os.org>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-
 mount /builder -o dev,suid,remount

qusal/ssh/README.md

@@ -42,3 +42,5 @@ The client qube can enhanced by being:
 
 - sys-ssh-agent's client and not storing the SSH keys on the client; or
 - sys-git's client and fetching from qubes and push to remote servers.
+
+The server requires the OpenSSH server to be installed.

qusal/sys-rsync/files/server/rc.local

@@ -1,6 +1,2 @@
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-
 systemctl unmask rsync
 systemctl --no-block restart rsync

qusal/sys-ssh/README.md

@@ -86,7 +86,7 @@ all. Consult sys-ssh-agent documentation for more information.
 In the client, create SSH keys and copy them to the server:
 ```sh
 ssh-keygen -t ed25519
-qvm-copy .ssh/id_ed25519.pub
+qvm-copy ~/.ssh/id_ed25519.pub
 ```
 
 On the server, create the SSH directory and copy the client key to the

qusal/sys-ssh/files/server/rc.local

@@ -1,6 +1,2 @@
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-
 systemctl unmask ssh
 systemctl --no-block restart ssh

scripts/shell-lint.sh

@@ -29,14 +29,14 @@ fi
 case "${find_tool}" in
   fd|fdfind)
     # shellcheck disable=2016,2215
-    files="$(${find_tool} . "${group}"/ --hidden --exclude=zsh --type=f \
+    files="$(${find_tool} . scripts/ "${group}"/ --hidden --exclude=zsh --type=f \
               --exec sh -c '
               case $( file -bi "$1" ) in (*/x-shellscript*)
                 printf "%s\n" "$1";; esac' sh)"
     files="${files} $(${find_tool} . --max-depth=1 --type=f --extension=sh)"
     ;;
   find)
-    files="$(find "${group}"/ -not \( -path "*/zsh" -prune \) -type f -exec sh -c '
+    files="$(find scripts/ "${group}"/ -not \( -path "*/zsh" -prune \) -type f -exec sh -c '
               case $( file -bi "$1" ) in (*/x-shellscript*) exit 0;; esac
               exit 1' sh {} \; -print)"
     files="${files} $(find . -maxdepth 1 -type f -name "*.sh")"