refactor: initial commit

salt/sys-net/README.md

@@ -0,0 +1,61 @@
+# sys-net
+
+PCI handler of Network devices in Qubes OS.
+
+## Table of Contents
+
+* [Description](#description)
+* [Installation](#installation)
+* [Usage](#usage)
+
+## Description
+
+Creates and configure qubes for handling the network devices. Qubes OS
+provides the state "qvm.sys-net", but it will create only "sys-net", which can
+be a disposable or not. This package takes a different approach, it will
+create an AppVM "sys-net" and a DispVM "disp-sys-net".
+
+By default, the chosen one is "sys-net", but you can choose which qube type
+becomes the upstream net qube "default_netvm", the "clockvm" and the fallback
+target for the "qubes.UpdatesProxy" service in case no rule matched before.
+
+## Installation
+
+Before installation, rename your current `sys-net` to another name such as
+`sys-net-old`, the old qube will be used to install packages require for the
+template. After successful installation and testing the new net qube
+capabilities, you can remove the old one. If you want the default net qube
+back, just set `sys-net` template to the full template you are using, such as
+Debian or Fedora.
+
+- Top:
+```sh
+qubesctl top.enable sys-net
+qubesctl --targets=tpl-sys-net state.apply
+qubesctl top.disable sys-net
+qubesctl state.apply sys-net.prefs
+```
+
+- State:
+<!-- pkg:begin:post-install -->
+```sh
+qubesctl state.apply sys-net.create
+qubesctl --skip-dom0 --targets=tpl-sys-net state.apply sys-net.install
+qubesctl state.apply sys-net.prefs
+```
+<!-- pkg:end:post-install -->
+
+Alternatively, if you prefer to have a disposable net qube:
+```sh
+qubesctl state.apply sys-net.prefs-disp
+```
+
+You might need to install some firmware on the template for your network
+drivers. Check files/admin/firmware.txt.
+
+## Usage
+
+A network manager is provided in `sys-net`, from there you can manager Wi-Fi
+or Ethernet cable connections. You can also use it for network monitoring. It
+should be relied on to hold firewall rules for other qubes, use
+`sys-firewall`, `sys-pihole` or `sys-mirage-firewall` for that purpose.

salt/sys-net/clone.sls

@@ -0,0 +1,11 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% from 'utils/macros/clone-template.sls' import clone_template -%}
+{{ clone_template('debian-minimal', sls_path) }}
+
+{% from 'utils/macros/clone-template.sls' import clone_template -%}
+{{ clone_template('debian', sls_path) }}

salt/sys-net/clone.top

@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-net.clone

salt/sys-net/create.sls

@@ -0,0 +1,107 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{%- from "qvm/template.jinja" import load -%}
+
+{% set net_pcidevs = salt['grains.get']('pci_net_devs', []) -%}
+
+include:
+  - .clone
+
+{% load_yaml as defaults -%}
+name: {{ slsdotpath }}
+force: True
+require:
+- sls: {{ slsdotpath }}.clone
+present:
+- template: tpl-{{ slsdotpath }}
+- label: red
+prefs:
+- template: tpl-{{ slsdotpath }}
+- label: red
+- netvm: ""
+- memory: 400
+- maxmem: 0
+- vcpus: 1
+- virt_mode: hvm
+- autostart: False
+- provides-network: True
+- pcidevs: {{ net_pcidevs|yaml }}
+- pci_strictreset: False
+- include_in_backups: False
+features:
+- enable:
+  - servicevm
+  - service.qubes-updates-proxy
+  - service.clocksync
+- disable:
+  - service.cups
+  - service.cups-browsed
+  - service.meminfo-writer
+{%- endload %}
+{{ load(defaults) }}
+
+{% load_yaml as defaults -%}
+name: dvm-{{ slsdotpath }}
+force: True
+require:
+- sls: {{ slsdotpath }}.clone
+present:
+- template: tpl-{{ slsdotpath }}
+- label: red
+prefs:
+- template: tpl-{{ slsdotpath }}
+- label: red
+- netvm: ""
+- memory: 400
+- maxmem: 0
+- vcpus: 1
+- virt_mode: hvm
+- template_for_dispvms: True
+- include_in_backups: False
+features:
+- enable:
+  - servicevm
+  - service.qubes-updates-proxy
+  - service.clocksync
+- disable:
+  - appmenus-dispvm
+  - service.cups
+  - service.cups-browsed
+  - service.meminfo-writer
+{%- endload %}
+{{ load(defaults) }}
+
+{% load_yaml as defaults -%}
+name: disp-{{ slsdotpath }}
+force: True
+require:
+- qvm: dvm-{{ slsdotpath }}
+present:
+- template: dvm-{{ slsdotpath }}
+- label: red
+- class: DispVM
+prefs:
+- template: dvm-{{ slsdotpath }}
+- label: red
+- netvm: ""
+- autostart: False
+- provides-network: True
+- pcidevs: {{ net_pcidevs|yaml }}
+- pci_strictreset: False
+- include_in_backups: False
+features:
+- enable:
+  - servicevm
+  - service.qubes-updates-proxy
+  - service.clocksync
+- disable:
+  - appmenus-dispvm
+  - service.cups
+  - service.cups-browsed
+  - service.meminfo-writer
+{%- endload %}
+{{ load(defaults) }}

salt/sys-net/create.top

@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-net.create

salt/sys-net/files/admin/firmware.txt

@@ -0,0 +1,17 @@
+# vim: ft=conf
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: MIT
+
+atmel-firmware
+firmware-ath9k-htc
+firmware-atheros
+firmware-b43-installer
+firmware-brcm80211
+firmware-intelwimax
+firmware-ipw2x00
+firmware-iwlwifi
+firmware-misc-nonfree
+firmware-ralink
+firmware-realtek
+firmware-zd1211

salt/sys-net/files/admin/policy/default.policy

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+## Do not modify this file, create a new policy with with a lower number in the
+## file name instead. For example `30-user.policy`.
+qubes.UpdatesProxy  *  @tag:whonix-updatevm  @default  allow target=sys-whonix
+qubes.UpdatesProxy  *  @tag:whonix-updatevm  @anyvm    deny
+qubes.UpdatesProxy  *  @type:TemplateVM      @default  allow target=disp-{{ sls_path }}
+qubes.UpdatesProxy  *  @type:TemplateVM      @anyvm    deny
+## vim:ft=qrexecpolicy

salt/sys-net/init.top

@@ -0,0 +1,12 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-net.create
+  'tpl-sys-net':
+    - sys-net.install

salt/sys-net/install-debug.sls

@@ -0,0 +1,27 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if grains['nodename'] != 'dom0' -%}
+
+"{{ slsdotpath }}-updated":
+  pkg.uptodate:
+    - refresh: True
+
+"{{ slsdotpath }}-installed":
+  pkg.installed:
+    - refresh: True
+    - install_recommends: False
+    - skip_suggestions: True
+    - pkgs:
+      - pciutils
+      - net-tools
+      - wireless-tools
+      - socat
+      - ncat
+      - nmap
+      - tcpdump
+
+{% endif -%}

salt/sys-net/install-debug.top

@@ -0,0 +1,9 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'tpl-sys-net':
+    - sys-net.install-debug

salt/sys-net/install.sls

@@ -0,0 +1,28 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if grains['nodename'] != 'dom0' -%}
+
+include:
+  - .install-debug
+  - dotfiles.copy-x11
+
+"{{ slsdotpath }}-updated":
+  pkg.uptodate:
+    - refresh: True
+
+"{{ slsdotpath }}-installed":
+  pkg.installed:
+    - refresh: True
+    - install_recommends: False
+    - skip_suggestions: True
+    - pkgs:
+      - qubes-core-agent-network-manager
+      - wpasupplicant
+      - gnome-keyring
+      - notification-daemon
+
+{% endif -%}

salt/sys-net/install.top

@@ -0,0 +1,9 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'tpl-sys-net':
+    - sys-net.install

salt/sys-net/prefs-disp.sls

@@ -0,0 +1,26 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+include:
+  - .create
+
+{% set default_netvm = salt['cmd.shell']('qubes-prefs default_netvm') -%}
+"default_netvm-netvm-disp-{{ slsdotpath }}":
+  qvm.vm:
+    - require:
+      - qvm: disp-{{ slsdotpath }}
+    - name: {{ default_netvm }}
+    - prefs:
+      - netvm: disp-{{ slsdotpath }}
+
+"clockvm-disp-{{ slsdotpath }}":
+  cmd.run:
+    - require:
+      - qvm: disp-{{ slsdotpath }}
+    - name: qubes-prefs clockvm disp-{{ slsdotpath }}
+
+{% from 'utils/macros/policy.sls' import policy_set with context -%}
+{{ policy_set(sls_path, '80') }}

salt/sys-net/prefs-disp.top

@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-net.prefs-disp

salt/sys-net/prefs.sls

@@ -0,0 +1,26 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+include:
+  - .create
+
+{% set default_netvm = salt['cmd.shell']('qubes-prefs default_netvm') -%}
+"default_netvm-netvm-{{ slsdotpath }}":
+  qvm.vm:
+    - require:
+      - qvm: {{ slsdotpath }}
+    - name: {{ default_netvm }}
+    - prefs:
+      - netvm: {{ slsdotpath }}
+
+"clockvm-{{ slsdotpath }}":
+  cmd.run:
+    - require:
+      - qvm: {{ slsdotpath }}
+    - name: qubes-prefs clockvm {{ slsdotpath }}
+
+{% from 'utils/macros/policy.sls' import policy_set with context -%}
+{{ policy_set(sls_path, '80') }}

salt/sys-net/prefs.top

@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-net.prefs