fix: Print server without RPC service

- Install RPC service to template; - Move qube configuration to template configuration; - Start server after the Qubes Services are created; - Qrexec policy ask to both app and disposable qube; and - Rename systemd service to qusal prefix instead of qubes.
2024-10-01 02:35:49 -04:00 · 2024-06-19 15:40:20 +02:00 · 2024-06-19 15:40:20 +02:00 · f30bd20f54
commit f30bd20f54
parent bf0a4bc914
9 changed files with 33 additions and 39 deletions
--- a/salt/sys-print/README.md
+++ b/salt/sys-print/README.md
@ -43,7 +43,7 @@ qube that has access to the printer.
 - Top:
 ```sh
 sudo qubesctl top.enable sys-print
-sudo qubesctl --targets=tpl-sys-print,sys-print state.apply
+sudo qubesctl --targets=tpl-sys-print state.apply
 sudo qubesctl top.disable sys-print
 sudo qubesctl state.apply sys-print.appmenus
 ```
@ -53,7 +53,6 @@ sudo qubesctl state.apply sys-print.appmenus
 ```sh
 sudo qubesctl state.apply sys-print.create
 sudo qubesctl --skip-dom0 --targets=tpl-sys-print state.apply sys-print.install
-sudo qubesctl --skip-dom0 --targets=dvm-sys-print,sys-print state.apply sys-print.configure
 sudo qubesctl state.apply sys-print.appmenus
 ```
 <!-- pkg:end:post-install -->
--- a/salt/sys-print/configure.sls
+++ b/salt/sys-print/configure.sls
@ -1,24 +0,0 @@
-{#
-SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
-SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
-
-SPDX-License-Identifier: AGPL-3.0-or-later
-#}
-
-"{{ slsdotpath }}-bind-dirs":
-  file.managed:
-    - name: /rw/config/qubes-bind-dirs.d/50-sys-print.conf
-    - source: salt://{{ slsdotpath }}/files/server/qubes-bind-dirs.d/50-sys-print.conf
-    - mode: '0644'
-    - user: root
-    - group: root
-    - makedirs: True
-
-"{{ slsdotpath }}-rpc":
-  file.managed:
-    - name: /etc/qubes-rpc/qusal.Print
-    - source: salt://{{ slsdotpath }}/files/server/rpc/qusal.Print
-    - mode: '0755'
-    - user: root
-    - group: root
-    - makedirs: True
--- a/salt/sys-print/configure.top
+++ b/salt/sys-print/configure.top
@ -1,9 +0,0 @@
-{#
-SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
-
-SPDX-License-Identifier: AGPL-3.0-or-later
-#}
-
-base:
-  'dvm-sys-print,sys-print':
-    - sys-print.configure
--- a/salt/sys-print/create.sls
+++ b/salt/sys-print/create.sls
@ -88,6 +88,9 @@ features:
  - service.evolution-data-server
 - set:
  - menu-items: "system-config-printer.desktop simple-scan.desktop qubes-run-terminal.desktop qubes-open-file-manager.desktop qubes.start.desktop"
+tags:
+- add:
+  - "print-server"
 {%- endload %}
 {{ load(defaults) }}

@ -120,6 +123,9 @@ features:
  - service.evolution-data-server
 - set:
  - menu-items: "system-config-printer.desktop simple-scan.desktop qubes-run-terminal.desktop qubes-open-file-manager.desktop qubes.start.desktop"
+tags:
+- add:
+  - "print-server"
 {%- endload %}
 {{ load(defaults) }}

--- a/salt/sys-print/files/admin/policy/default.policy
+++ b/salt/sys-print/files/admin/policy/default.policy
@ -4,6 +4,7 @@

 ## Do not modify this file, create a new policy with with a lower number in the
 ## file name instead. For example `30-user.policy`.
+qusal.Print * @anyvm @tag:print-server ask
 qusal.Print * @anyvm @default ask default_target=sys-print
 qusal.Print * @anyvm @anyvm deny
 ## vim:ft=qrexecpolicy
--- a/salt/sys-print/files/client/systemd/qusal-print-forwarder.service
+++ b/salt/sys-print/files/client/systemd/qusal-print-forwarder.service
@ -4,6 +4,7 @@

 [Unit]
 Description=Print over Qrexec
+After=qubes-sysinit.service
 After=qubes-qrexec-agent.service
 ConditionPathExists=/var/run/qubes-service/print-setup

--- a/salt/sys-print/init.top
+++ b/salt/sys-print/init.top
@ -10,5 +10,3 @@ base:
    - sys-print.create
  'tpl-sys-print':
    - sys-print.install
-  'dvm-sys-print,sys-print':
-    - sys-print.configure
--- a/salt/sys-print/install-client.sls
+++ b/salt/sys-print/install-client.sls
@ -7,9 +7,13 @@ SPDX-License-Identifier: AGPL-3.0-or-later

 "{{ slsdotpath }}-client-systemd-print-forwarder":
  file.managed:
-    - name: /usr/lib/systemd/system/qubes-print-forwarder.service
-    - source: salt://{{ slsdotpath }}/files/client/systemd/qubes-print-forwarder.service
+    - name: /usr/lib/systemd/system/qusal-print-forwarder.service
+    - source: salt://{{ slsdotpath }}/files/client/systemd/qusal-print-forwarder.service
    - mode: '0644'
    - user: root
    - group: root
    - makedirs: True
+
+"{{ slsdotpath }}-enable-systemd-service-print-forwarder":
+  service.enabled:
+    - name: qusal-print-forwarder.service
--- a/salt/sys-print/install.sls
+++ b/salt/sys-print/install.sls
@ -42,4 +42,22 @@ include:
    - addusers:
      - user

+"{{ slsdotpath }}-rpc":
+  file.managed:
+    - name: /etc/qubes-rpc/qusal.Print
+    - source: salt://{{ slsdotpath }}/files/server/rpc/qusal.Print
+    - mode: '0755'
+    - user: root
+    - group: root
+    - makedirs: True
+
+"{{ slsdotpath }}-bind-dirs":
+  file.managed:
+    - name: /etc/qubes-bind-dirs.d/50-sys-print.conf
+    - source: salt://{{ slsdotpath }}/files/server/qubes-bind-dirs.d/50-sys-print.conf
+    - mode: '0644'
+    - user: root
+    - group: root
+    - makedirs: True
+
 {% endif -%}