Commit Graph

346 Commits

Author SHA1 Message Date
Ben Grande
0dd627b670 fix: update dotfiles module 2024-01-18 09:24:36 +01:00
Ben Grande
23bccebaab fix: dom0 as sys-git client
The salt module git.config_get does not work in Dom0 and does not have
a key to set the system gitconfig.
2024-01-18 09:21:21 +01:00
Ben Grande
3faa523820 feat: usb devices in sys-audio
Introduces support for USB connected devices such as Bluetooth and
camera, microphone as well as their integrated versions.
2024-01-17 16:52:55 +01:00
Ben Grande
6bf9b97a36 fix: help option for port forwarder 2024-01-16 12:11:31 +01:00
Ben Grande
80638d64b5 feat: port forwarder
If persistent rules are chosen, it can deal with disposable sys-net, but
not with disposable sys-firewall, as the qube ip will change, the rule
won't work. Applying the rule to the disposable template is a "try it
all", but it's usage is discouraged.
2024-01-16 00:15:29 +01:00
Ben Grande
c3937e881e fix: disposable sys-audio name with disp prefix 2024-01-14 14:05:17 +01:00
Ben Grande
ff4773bf8e doc: kicksecure missing minimal flavor 2024-01-14 08:52:24 +01:00
Ben Grande
23a569d4e1 fix: install less browser packages in reader
The state browse.install installs extraneous packages that we won't
need for an untrusted environment, such as USB and audio support.
2024-01-12 19:47:52 +01:00
Ben Grande
2576d14448 fix: policy file mode not allowing group to write 2024-01-12 19:44:55 +01:00
Ben Grande
ac25ef6b87 fix: sys-usb hide-usb-from-dom0 in keyboard state 2024-01-12 19:08:56 +01:00
Ben Grande
8d7c0a2d0b fix: sys-cacher policy with the new tag name 2024-01-12 18:34:04 +01:00
Ben Grande
2063a4328c fix: clone macro support for optional argument 2024-01-12 18:22:33 +01:00
Ben Grande
6eefceda74 fix: sys-usb disposables must have name prefix 2024-01-12 18:22:18 +01:00
Ben Grande
6828e83dde fix: update dotfiles module 2024-01-12 18:00:40 +01:00
Ben Grande
7eb1f34f73 feat: disposable mirage firewall 2024-01-12 17:58:56 +01:00
Ben Grande
5502103901 fix: separate template formula per flavor
Default template flavor is Gnome, installing Xfce when requesting the
template formula without flavor causes confusion.
2024-01-12 17:47:21 +01:00
Ben Grande
233ac76bcb fix: sys-cacher tag compliance with default tags
The default tags start with the capability than the qube name, such as
audiovm-dom0 and guivm-dom0.
2024-01-12 17:30:29 +01:00
Ben Grande
5e5ae2f704 fix: zsh state import with relative path
Relative path only works well if it is on the salt root.
2024-01-12 17:24:43 +01:00
Ben Grande
a97e3c0c8a feat: kicksecure minimal template 2024-01-12 17:24:31 +01:00
Ben Grande
2b6daac8a9 fix: shellcheck 2024-01-10 14:31:57 +01:00
Ben Grande
040594ae74 fix: do not remove created dvm
The removal was first implemented to get a clean state of the qube, but
there are side effects, it fails if the user created a named disposable
based on the dvm and also removes the (dvm) entry from the appmenu.

The sys-usb case is a workaround in case the user selected a
non-disposable, an appvm sys-usb during system installation.
2024-01-10 14:27:44 +01:00
Ben Grande
5b9b0bba5b doc: missing access control for sys-usb 2024-01-10 12:50:02 +01:00
Ben Grande
76e9234c83 fix: organize sys-usb policy per service 2024-01-10 12:49:20 +01:00
Ben Grande
567e36d276 fix: prefer qvm-features for uniformity 2024-01-09 18:48:29 +01:00
Ben Grande
a3829e46ae feat: policy support for multiple sys-usb qubes 2024-01-09 18:44:50 +01:00
Ben Grande
f5894dc6fc doc: cleaner usage sections for qubes-builder 2024-01-08 20:08:54 +01:00
Ben Grande
c306047f1e fix: sys-wireguard compatible with Qubes 4.2 2024-01-08 20:07:20 +01:00
Ben Grande
42a93093dd fix: rpc service copy to dvm
Upstream-commit: 7c37bb7bd65ad3a183790ad07344729504bc0930
2024-01-07 20:20:54 +01:00
Ben Grande
762f8be485 fix: make sys-pihole fully replace sys-firewall 2024-01-05 20:28:27 +01:00
Ben Grande
705808d8b6 feat: allow sys-pihole to use pi-hole for queries 2024-01-05 17:45:04 +01:00
Ben Grande
a17f9f5250 feat: unattended qubes-builder build
Split-gpg2 allows to isolate GPG home directories. In the future,
enforcing this setting via drop-in configuration would be safer, depends
on https://github.com/QubesOS/qubes-issues/issues/8792.
2024-01-05 17:24:14 +01:00
Ben Grande
692659e22d feat: passwordless pihole admin interface
- Passwordless as it doesn't compromise security;
- Firewall blocks access to the interface in case the pihole is exposed
  to the internet;
- setupVars.conf needs to be 644 for non root commands to the pihole
  script to work, so the WEB_PASSWORD can be read as normal user,
  restricting root on pihole does not make sense, as it can modify the
  network setting via pihole web interface.
2024-01-05 16:32:42 +01:00
Ben Grande
417843ba75 feat: remove extraneous passwordless root 2024-01-05 12:03:23 +01:00
Ben Grande
c1094046ee fix: add user to mock group 2024-01-05 11:07:27 +01:00
Ben Grande
0216297ee6 feat: default to disposable netvm
- Default sys-net and sys-firewall to disposable;
- Set global and per vm preferences by starting the qubes or shutting
  down them when necessary; and
- Less manual steps remaining for the user: just rename the net qube, as
  it can only be done via Qubes Manager.
2024-01-04 21:59:15 +01:00
Ben Grande
8a8252d6f0 fix: changes default template flavor to Xfce 2024-01-04 18:01:21 +01:00
Ben Grande
e0b11b3daf fix: do not install net debug tools by default 2024-01-04 17:25:16 +01:00
Ben Grande
e167879cfb doc: sys-audio usage 2024-01-04 15:17:20 +01:00
Ben Grande
767fc42523 fix: allow to attach mic with sys-audio 2024-01-04 12:20:13 +01:00
Ben Grande
6bb426a057 refactor: import armored gpg keys instead of db 2024-01-03 21:40:05 +01:00
Ben Grande
0eecbcffc4 fix: unconfined qfile-unpacker
Upstream-commit: 0648b2329f0d142a2e24ecf376b28603fb04abb4
2024-01-03 14:35:06 +01:00
Ben Grande
083285901c fix: remove old split-gpg from qubes-builder 2024-01-03 14:29:49 +01:00
Ben Grande
2283b3368e fix: sys-audio policy and autostart pacat daemon 2024-01-03 11:47:13 +01:00
Ben Grande
d939d4aa26 fix: signal state uses idempotent state 2024-01-02 23:03:10 +01:00
Ben Grande
f32a14c422 fix: autostart volumeicon 2024-01-02 23:01:58 +01:00
Ben Grande
b86486a793 feat: qubes-vm-update global settings 2024-01-02 18:04:54 +01:00
Ben Grande
ed4fe70980 fix: customize sys-whonix
- autostart set to false;
- lower vcpus available;
- lower total memory; and
- use state provided by upstream;
2023-12-31 07:52:38 +01:00
Ben Grande
e2c24ec78e style: client state ID must conform to order 2023-12-31 07:50:03 +01:00
Ben Grande
ec9142bf27 fix: pci regain with invalid syntax 2023-12-31 07:49:25 +01:00
Ben Grande
81f8c56a76 fix: install missing packages to audio client 2023-12-31 07:48:29 +01:00
Ben Grande
bd54499a26 fix: update dotfiles module 2023-12-28 12:29:09 +01:00
Ben Grande
f8953c6acc doc: better usage of split-gpg2 in qubes-builder 2023-12-28 12:26:37 +01:00
Ben Grande
b52e4b1b63 fix: strict split-gpg2 service
Split-gpg V1 allowed for querying public keys, but as split-gpg2 is
running as an agent, public keys are not queried. Allowing connection to
the server to query only public parts of the key exposes the server more
than needed to the client.

All clients now have to hold the public key they need locally in order
to do GPG operations.
2023-12-28 11:47:41 +01:00
Ben Grande
76079d2c7e fix: wrong source paths 2023-12-27 23:45:06 +01:00
Ben Grande
652b4f0f71 fix: update dotfiles module 2023-12-27 20:05:41 +01:00
Ben Grande
a617c3d97e fix: modify package names to match Qubes 4.2 2023-12-27 20:00:15 +01:00
Ben Grande
250c877723 fix: regain pci script not managed 2023-12-27 19:58:01 +01:00
Ben Grande
e650deaa7d fix: port forwarder script with custom rc 2023-12-26 20:15:57 +01:00
Ben Grande
06393fce3f fix: browser cli install tool switches to fetcher 2023-12-26 19:53:59 +01:00
Ben Grande
6a551eba67 refactor: pihole nft rules for Qubes 4.2 2023-12-26 19:50:31 +01:00
Ben Grande
224d2d5f69 fix: pihole lighttpd link 2023-12-24 21:23:29 +01:00
Ben Grande
6fc173d78d feat: clockvm also present in sys-pihole 2023-12-23 21:05:24 +01:00
Ben Grande
ad6f5e29fe feat: move clockvm out of sys-net to sys-firewall 2023-12-21 23:38:39 +01:00
Ben Grande
f21f676adf fix: dom0 qrexec call target qube 2023-12-21 22:38:32 +01:00
Ben Grande
a820751ba3 refactor: git Qrexec helper with drop-in commands
Drop-in scripts can complement the remote-helper ability.
Basic trace of the communication of git with the helper.
2023-12-21 15:38:16 +01:00
Ben Grande
a27493c5d9 fix: update dotfiles module 2023-12-21 15:09:52 +01:00
Ben Grande
ff34a8a1c3 fix: add missing appmenus sync 2023-12-21 00:10:03 +01:00
Ben Grande
a3ebfed693 fix: whonix top missing template update 2023-12-20 21:28:36 +01:00
Ben Grande
015019aa5d fix: ssh top files missing list type matcher 2023-12-20 21:27:42 +01:00
Ben Grande
89e03956b1 fix: remove repeated pkg in mutt 2023-12-20 21:26:33 +01:00
Ben Grande
dbaa386269 chore: inline dev install documentation 2023-12-20 21:26:13 +01:00
Ben Grande
80aeb3644f fix: sync reader appmenus 2023-12-20 21:24:43 +01:00
Ben Grande
c2f25844da feat: provide development environment for dom0 2023-12-20 17:17:05 +01:00
Ben Grande
38d98ecb0d fix: nft shebang and table names 2023-12-20 16:49:58 +01:00
Ben Grande
d3ae662c00 fix: cacher client installation indentation 2023-12-20 16:47:35 +01:00
Ben Grande
a78b90e8bd fix: better output for cacher tag assignment 2023-12-20 11:43:54 +01:00
Ben Grande
71d22c54b6 refactor: reorder states to avoid race condition 2023-12-19 23:06:37 +01:00
Ben Grande
b4d142b640 refactor: move appended states to drop-in rc.local 2023-12-19 22:50:59 +01:00
Ben Grande
0751aff4b5 refactor: organize pihole directory structure 2023-12-19 21:55:45 +01:00
Ben Grande
e670d026d4 fix: skip client setup on cacher initialization
Installing sys-cacher does not require that all templates change.
2023-12-19 21:12:07 +01:00
Ben Grande
b4b7f27492 fix: qubes-update superseded by qubes-vm-update 2023-12-19 14:44:33 +01:00
Ben Grande
bcc8165620 fix: salt syntax with missing characters 2023-12-19 13:02:04 +01:00
Ben Grande
fcfb2e236c fix: whonix naming without abbreviations 2023-12-19 13:00:57 +01:00
Ben Grande
b0626bd15b fix: template name must specify version 2023-12-19 12:59:52 +01:00
Ben Grande
bcb65a2f1a feat: usb client 2023-12-18 15:31:27 +00:00
Ben Grande
f16bfdd28b feat: fetcher 2023-12-18 15:31:19 +00:00
Ben Grande
9fc2c03a2c doc: top method must not skip dom0 2023-12-18 15:25:55 +00:00
Ben Grande
20115a2207 fix: udpate dotfiles module 2023-11-21 23:56:52 +00:00
Ben Grande
ec2dab3bf5 fix: stop modifying distribution package files
Avoids breaking package updates.
2023-11-21 23:55:16 +00:00
Ben Grande
10b3bcdf41 fix: unstrusted input marking and sanitization 2023-11-21 14:57:47 +00:00
Ben Grande
5e3c790111 fix: mode ansible linter to correct project 2023-11-20 19:25:52 +00:00
Ben Grande
83c17c4ff4 fix: update dotfiles module 2023-11-20 12:23:48 +00:00
Ben Grande
2702768127 fix: add required package to sync clockvm time 2023-11-20 12:21:37 +00:00
Ben Grande
41c54186c6 fix: cacher shuting down on long running updates 2023-11-14 07:13:54 +00:00
Ben Grande
963e72c7ed chore: Fix unman copyright contact 2023-11-13 18:18:06 +00:00
Ben Grande
5eebd789ed refactor: initial commit 2023-11-13 14:33:28 +00:00