diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..faeb5ed --- /dev/null +++ b/.editorconfig @@ -0,0 +1,20 @@ +# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# +# SPDX-License-Identifier: GPL-3.0-or-later + +root = true + +[*] +indent_style = space +indent_size = 2 +trim_trailing_whitespace = true +insert_final_newline = true +charset = utf-8 +end_of_line = lf + +[**/git/**/config] +indent_style = tab +indent_size = 8 + +[*.{md,sh,yaml,yml,toml}] +indent_size = 2 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..0a900ac --- /dev/null +++ b/.gitattributes @@ -0,0 +1,5 @@ +# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# +# SPDX-License-Identifier: CC0-1.0 + +* text=auto eol=lf diff --git a/.gitignore b/.gitignore index 50fb1c5..74c70b8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ -# vim: nospell # SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. # # SPDX-License-Identifier: CC0-1.0 diff --git a/.gitlint b/.gitlint new file mode 100644 index 0000000..59be55b --- /dev/null +++ b/.gitlint @@ -0,0 +1,41 @@ +# vim: ft=toml +# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# +# SPDX-License-Identifier: CC0-1.0 + +[general] +verbosity=3 +ignore=body-is-missing +ignore-merge-commits=true +ignore-revert-commits=true +ignore-fixup-commits=false +ignore-fixup-amend-commits=false +ignore-squash-commits=false +fail-without-commits=true +regex-style-search=true +debug=false +contrib=contrib-title-conventional-commits,contrib-body-requires-signed-off-by,contrib-allowed-authors + +[title-max-length] +line-length=50 + +[title-min-length] +min-length=10 + +[title-must-not-contain-word] +words=wip + +[body-max-line-length] +line-length=72 + +[body-min-length] +min-length=20 + +[body-is-missing] +ignore-merge-commits=false + +[ignore-body-lines] +regex=(^Co-Authored-By)|(^Reported-by)|(^Signed-off-by) + +[contrib-title-conventional-commits] +types = fix,feat,build,chore,ci,doc,style,refactor,perf,test diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7061194..a08695a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -11,8 +11,25 @@ repos: entry: scripts/salt-lint.sh language: script pass_filenames: false + description: Lint Salt files - id: shellcheck name: shellcheck entry: scripts/shell-lint.sh language: script pass_filenames: false + description: Lint Shellscripts + - id: gitlint + name: gitlint + language: python + additional_dependencies: ["./gitlint-core[trusted-deps]"] + entry: gitlint + args: [--staged, --msg-filename] + stages: [commit-msg] + description: Lint Git commits + - id: reuse + name: reuse + entry: reuse + args: ["lint"] + language: python + pass_filenames: false + description: Lint files to comply with the REUSE Specification diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml deleted file mode 100644 index ab4dd47..0000000 --- a/.pre-commit-hooks.yaml +++ /dev/null @@ -1,12 +0,0 @@ -# SPDX-FileCopyrightText: 2020 Liferay, Inc. -# -# SPDX-License-Identifier: GPL-3.0-or-later - ---- -- id: reuse - name: reuse - entry: reuse - args: ["lint"] - language: python - pass_filenames: false - description: "Lint the project for compliance with the REUSE Specification" diff --git a/.reuse/dep5 b/.reuse/dep5 index ad2dadd..84de771 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -3,10 +3,14 @@ Upstream-Name: qusal Upstream-Contact: Benjamin Grande M. S. Source: https://github.com/ben-grande/qusal -Files: README.md CONTRIBUTING.md */README.md +Files: AUTHORS.md CONTRIBUTING.md README.md */README.md Copyright: 2023 Benjamin Grande M. S. License: CC-BY-SA-4.0 +Files: */rc.local +Copyright: 2023 Benjamin Grande M. S. +License: GPL-3.0-or-later + Files: qusal/sys-mirage-firewall/files/admin/mirage-firewall.tar.bz2 qusal/sys-mirage-firewall/files/admin/mirage-firewall.sha256 qusal/sys-mirage-firewall/files/admin/version.txt diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..76e4f96 --- /dev/null +++ b/.yamllint @@ -0,0 +1,25 @@ +# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. +# +# SPDX-License-Identifier: GPL-3.0-or-later +--- + +extends: 'default' + +ignore: | + .git/ + +yaml-files: + - '*.yaml' + - '*.yml' + - .salt-lint + - .yamllint + +rules: + empty-values: + forbid-in-block-mappings: true + forbid-in-flow-mappings: true + octal-values: + forbid-implicit-octal: true + forbid-explicit-octal: true + +# vim: ft=yaml diff --git a/AUTHORS.md b/AUTHORS.md new file mode 100644 index 0000000..59d5fb9 --- /dev/null +++ b/AUTHORS.md @@ -0,0 +1 @@ +Ben Grande diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 194f86c..932e5c1 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,7 +1,8 @@ -# Contributing to Qusal +# Contributing ## Table of Contents +* [Respect](#respect) * [Format](#format) * [File naming](#file-naming) * [State ID](#state-id) @@ -9,6 +10,10 @@ * [Qube naming](#qube-naming) * [Qrexec](#qrexec) +## Respect + +Be respectful towards peers. + ## Format ### File naming @@ -35,7 +40,7 @@ Table of Contents, Description, Installation, Access Control (if changed Qrexec policy), Usage. -### Qube naming +### Qube preferences 1. Qube name format: @@ -46,24 +51,25 @@ - DispVM Template (AppVM): `dvm-NAME` - Service qubes (not a class): `sys-NAME` -2. Label/Color: +2. **Label/Color**: - - *Black* (Ultimately trusted): You must trust Dom0, Templates, Vaults, + - **Black** (Ultimately trusted): You must trust Dom0, Templates, Vaults, Management qubes, these qubes control your system and hold valuable information. Examples: dom0, tpl-ssh, vault, default-mgmt-dvm. - - *Gray* (Fully trusted): Trusted storage with extra RPC services that allow + - **Gray** (Fully trusted): Trusted storage with extra RPC services that allow certain operations to be made by the client and executed on the server or may build components for other qubes. Examples: sys-cacher, sys-git, sys-pgp, sys-ssh-agent, qubes-builder. - - *Purple* (Much trust): Has the ability to manager remote servers via - encrypted connections and depend on authorization provided by another qube. + - **Purple** (Much trust): Has the ability to manager remote servers via + encrypted connections and depend on authorization provided by another + qube. Examples: ansible, dev, ssh, terraform. - - *Blue* (Very trusted): TODO - - *Green* (Trusted): TODO - - *Yellow* (Relatively trusted): TODO - - *Orange* (Slightly trusted): Controls the network flow of data to the + - **Blue** (Very trusted): TODO + - **Green** (Trusted): TODO + - **Yellow** (Relatively trusted): TODO + - **Orange** (Slightly trusted): Controls the network flow of data to the client, normally a firewall. Examples: sys-firewall, sys-vpn, sys-pihole. - - *Red* (Untrusted): Holds untrusted data (PCI devices, untrusted programs, + - **Red** (Untrusted): Holds untrusted data (PCI devices, untrusted programs, disposables for opening untrusted files or web pages). Examples: sys-net, sys-usb, dvm-browser. diff --git a/_modules/qvm_tags.py b/_modules/qvm_tags.py new file mode 100644 index 0000000..7189772 --- /dev/null +++ b/_modules/qvm_tags.py @@ -0,0 +1,29 @@ +#!/usr/bin/env python3 +## TOOD: test usability + +# SPDX-FileCopyrightText: 2016 Marek Marczykowski-Górecki +# SPDX-FileCopyrightText: 2019 Brian C. Duggan +# SPDX-FileCopyrightText: 2023 Gonzalo Bulnes Guilpain +# +# SPDX-License-Identifier: GPL-3.0-or-later + +admin_available = True +try: + import qubesadmin + import qubesadmin.vm +except ImportError: + admin_available = False + + +def __virtual__(): + return admin_available + + +def ext_pillar(minion_id, pillar, *args, **kwargs): + app = qubesadmin.Qubes() + try: + vm = app.domains[minion_id] + except KeyError: + return {} + + return {'qubes': { 'tags': list(vm.tags) } } diff --git a/qusal/ansible/files/client/rc.local b/qusal/ansible/files/client/rc.local index 1a0c18f..37ff103 100755 --- a/qusal/ansible/files/client/rc.local +++ b/qusal/ansible/files/client/rc.local @@ -1,8 +1,2 @@ -#!/bin/sh - -# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. -# -# SPDX-License-Identifier: GPL-3.0-or-later - systemctl unmask ssh systemctl --no-block start ssh diff --git a/qusal/ansible/files/server/rc.local b/qusal/ansible/files/server/rc.local index 865d6ee..b60d619 100755 --- a/qusal/ansible/files/server/rc.local +++ b/qusal/ansible/files/server/rc.local @@ -1,7 +1 @@ -#!/bin/sh - -# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. -# -# SPDX-License-Identifier: GPL-3.0-or-later - qvm-connect-tcp 22000:@default:22 diff --git a/qusal/dev/create.sls b/qusal/dev/create.sls index 297a451..2c017ac 100644 --- a/qusal/dev/create.sls +++ b/qusal/dev/create.sls @@ -32,6 +32,12 @@ features: - disable: - service.cups - service.cups-browsed +{% if salt['qvm.exists']('sys-cacher') %} +tags: +- add: + - sys-cacher-updatevm +{% endif %} +{% endif -%} {%- endload %} {{ load(defaults) }} diff --git a/qusal/dev/install-python-tools.sls b/qusal/dev/install-python-tools.sls index 5f4d56b..94e509f 100644 --- a/qusal/dev/install-python-tools.sls +++ b/qusal/dev/install-python-tools.sls @@ -6,11 +6,11 @@ SPDX-License-Identifier: GPL-3.0-or-later {% if grains['nodename'] != 'dom0' -%} -"{{ slsdotpath }}-updated-network": +"{{ slsdotpath }}-updated-python-tools": pkg.uptodate: - refresh: True -"{{ slsdotpath }}-installed-network": +"{{ slsdotpath }}-installed-python-tools": pkg.installed: - refresh: True - install_recommends: False diff --git a/qusal/dev/install-salt-tools.sls b/qusal/dev/install-salt-tools.sls index 7f56500..b7cde62 100644 --- a/qusal/dev/install-salt-tools.sls +++ b/qusal/dev/install-salt-tools.sls @@ -17,7 +17,6 @@ SPDX-License-Identifier: GPL-3.0-or-later - skip_suggestions: True - pkgs: - python3-pip - - yamllint - ansible-lint {% set pkg = { diff --git a/qusal/dev/install.sls b/qusal/dev/install.sls index 228850b..af5718e 100644 --- a/qusal/dev/install.sls +++ b/qusal/dev/install.sls @@ -7,6 +7,9 @@ SPDX-License-Identifier: GPL-3.0-or-later {% if grains['nodename'] != 'dom0' -%} include: + {%- if salt['qvm.exists']('sys-cacher') %} + - sys-cacher.install-client + {% endif %} - .home-cleanup - .install-python-tools - .install-salt-tools @@ -26,11 +29,13 @@ include: - install_recommends: False - skip_suggestions: True - pkgs: + ## Necessary - qubes-core-agent-passwordless-root - qubes-core-agent-networking - ca-certificates - git - gnupg2 + ## Usability - tmux - xclip - bash-completion @@ -38,11 +43,15 @@ include: - texinfo - file - tree - - reuse - - pre-commit - - gitlint - ripgrep - fzf + ## Lint + - pre-commit + - precious + - reuse + - gitlint + - pylint + - yamllint {% set pkg = { 'Debian': { diff --git a/qusal/docker/install-repo.sls b/qusal/docker/install-repo.sls new file mode 100644 index 0000000..213f8ba --- /dev/null +++ b/qusal/docker/install-repo.sls @@ -0,0 +1,58 @@ +{# +SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. + +SPDX-License-Identifier: GPL-3.0-or-later +#} + +{% if grains['nodename'] != 'dom0' -%} + +{% from 'utils/macros/install-repo.sls' import install_repo -%} +{{ install_repo(sls_path, 'docker') }} + +"{{ slsdotpath }}-updated": + pkg.uptodate: + - refresh: True + +{% set pkg = { + 'Debian': { + 'pkg_removed': ['docker.io', 'docker-doc', 'docker-compose', + 'podman-docker', 'containerd', 'runc'], + }, + 'RedHat': { + 'pkg_removed': ['docker', 'docker-client', 'docker-client-latest', + 'docker-common', 'docker-latest', + 'docker-latest-logrotate', 'docker-logrotate', + 'docker-selinux', 'docker-engine-selinux', + 'docker-engine'], + }, +}.get(grains.os_family) -%} + +{# +"{{ slsdotpath }}-removed-os-specific": + pkg.removed: + - pkgs: {{ pkg.pkg_removed|sequence|yaml }} +#} + +"{{ slsdotpath }}-installed": + pkg.installed: + - refresh: True + - install_recommends: False + - skip_suggestions: True + - pkgs: + - qubes-core-agent-networking + - man-db + - docker-ce + - docker-ce-cli + - containerd.io + - docker-buildx-plugin + - docker-compose-plugin + +"{{ slsdotpath }}-user-in-docker-group": + user.present: + - name: user + - groups: + - user + - qubes + - docker + +{% endif -%} diff --git a/qusal/docker/install-repo.top b/qusal/docker/install-repo.top new file mode 100644 index 0000000..570631f --- /dev/null +++ b/qusal/docker/install-repo.top @@ -0,0 +1,9 @@ +{# +SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. + +SPDX-License-Identifier: GPL-3.0-or-later +#} + +base: + 'tpl-qubes-builder': + - docker.install-repo diff --git a/qusal/qubes-builder/files/server/rc.local b/qusal/qubes-builder/files/server/rc.local index 8c29de4..b585b34 100644 --- a/qusal/qubes-builder/files/server/rc.local +++ b/qusal/qubes-builder/files/server/rc.local @@ -1,5 +1 @@ -# SPDX-FileCopyrightText: 2023 The Qubes OS Project -# -# SPDX-License-Identifier: GPL-3.0-or-later - mount /builder -o dev,suid,remount diff --git a/qusal/ssh/README.md b/qusal/ssh/README.md index 7708098..7c48ab6 100644 --- a/qusal/ssh/README.md +++ b/qusal/ssh/README.md @@ -42,3 +42,5 @@ The client qube can enhanced by being: - sys-ssh-agent's client and not storing the SSH keys on the client; or - sys-git's client and fetching from qubes and push to remote servers. + +The server requires the OpenSSH server to be installed. diff --git a/qusal/sys-rsync/files/server/rc.local b/qusal/sys-rsync/files/server/rc.local index 19969c7..7f33c9a 100644 --- a/qusal/sys-rsync/files/server/rc.local +++ b/qusal/sys-rsync/files/server/rc.local @@ -1,6 +1,2 @@ -# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S.