Commit Graph

309 Commits

Author SHA1 Message Date
Ben Grande
10c0ea0cbf
chore: editorconfig check 2024-07-08 19:59:53 +02:00
Ben Grande
523bca2327
fix: conform files to editorconfig specification 2024-07-08 17:26:34 +02:00
Ben Grande
f60077f1a9
doc: spell check 2024-07-08 11:41:45 +02:00
Ben Grande
ab044c15b1
feat: bump Pi-Hole version
Many of the Pi-Hole releases of this year were made due to security
vulnerabilities. None of them are to concern to Qusal users.

- GHSA-jg6g-rrj6-xfg6: Requires authenticated user;
- GHSA-95g6-7q26-mp9x: Requires authenticated user; and
- GHSA-3597-244c-wrpj: Requires shell in the same qube running Pi-Hole.

The admin interface is only allowed through localhost, therefore only
sys-pihole and sys-pihole-browser qubes have access to it, blocked by
firewall (nftables) and HTTP server (lighttpd). Qubes with access to the
admin interface are not of a concern, we assume that every qube that has
access to the admin interface is trusted, therefore, only if a qube
doesn't have access to the admin interface and can gain access, it
becomes a concern, which hasn't happened.
2024-07-07 15:26:52 +02:00
Ben Grande
a2fff01867
fix: remove unimplemented policy creation
Fixes: https://github.com/ben-grande/qusal/issues/91
2024-07-07 15:19:20 +02:00
Ben Grande
8604887c66
feat: unify cacher tag list to a single script 2024-07-06 22:30:36 +02:00
Ben Grande
b918478aa3
doc: interactive Tailscale login command 2024-07-05 17:00:00 +02:00
Ben Grande
eed904c7f2
feat: add Tailscale formula
Fixes: https://github.com/ben-grande/qusal/issues/42
2024-07-05 16:35:32 +02:00
Ben Grande
1425cdaf1c
fix: cache Mullvad packages 2024-07-05 16:31:24 +02:00
Ben Grande
a9ca2f02cd
doc: inform how to use USB audio in disp-sys-audio 2024-07-05 14:19:40 +02:00
Ben Grande
d457302fc3
feat: lint python files 2024-07-05 12:24:24 +02:00
Ben Grande
80482bfec7
fix: use systemd-resolved DNS on boot
In case user configured Wireguard but there are no clients connected,
network hooks are never run and no domains can be resolved from the
sys-wireguard qube itself, therefore using Qrexec services to resolve
DNS in sys-wireguard hooks doesn't work and depended on connected
clients.

If Wireguard systemd service wasn't run, the nameserver will be empty
and that is not a problem.

In case user hasn't configured the Wireguard configuration correctly,
drop all connections.
2024-07-05 12:02:40 +02:00
Ben Grande
14b389655b
feat: use ip interface group for faster evaluation 2024-07-05 12:00:22 +02:00
Ben Grande
34d2943556
fix: correct markdown lint package name
Fixes: https://github.com/ben-grande/qusal/issues/90
2024-07-05 09:41:41 +02:00
Ben Grande
383c840f2f
doc: lint markdown files
Only way to have a unified markdown syntax is to enforce the wanted
syntax by linting the files. Don't rely on the many markdown syntaxes,
be consistent.
2024-07-04 17:27:31 +02:00
Ben Grande
88d9ba525c
fix: update dotfiles module 2024-07-04 11:26:31 +02:00
Ben Grande
91cf478908
fix: use mirrors metalink as a submodule 2024-07-04 11:24:21 +02:00
Ben Grande
06af125458
feat: clean dev installation
- git-send-email was implemented for a future RPC service for SMTP that
  was never created and can have some risks. As dev has no networking by
  default and the service was never created, removing it;
- git and gnupg already present in the included states;
- remove commented code; and
- move separate salt state to default installation as it only contains a
  single package that is not troublesome.
2024-07-02 12:20:47 +02:00
Ben Grande
9320c3fcf3
feat: disable OBEX Bluetooth file transfer method
No documentation as there is no intention to ever have file transfer
support in the AudioVM.
2024-07-02 10:10:50 +02:00
Ben Grande
422ec06071
fix: sync Qrexec audio policies 2024-07-02 09:33:28 +02:00
c0mmando
41c2100f0d
fix: remove typo in mullvad-browser install state
Fixes: https://github.com/ben-grande/qusal/pull/85
Signed-off-by: Ben Grande <ben.grande.b@gmail.com>
2024-07-01 10:55:23 +02:00
Ben Grande
140b96b785
fix: remove expired GitHub web-flow signing key 2024-07-01 09:14:53 +02:00
Ben Grande
54b07fb05e
doc: example to enable split-gpg2-client service
For: https://github.com/ben-grande/qusal/issues/83
2024-06-30 11:34:26 +02:00
Ben Grande
09bd216d79
fix: fold character that is not special for Jinja
Fixes: https://github.com/ben-grande/qusal/issues/82
2024-06-30 11:01:34 +02:00
Ben Grande
f903c0e3df
feat: get GUI user with salt modules 2024-06-28 19:28:49 +02:00
Ben Grande
077b21d3a4
feat: support browser installation on Fedora 2024-06-28 14:12:17 +02:00
Ben Grande
72068e8e9d
fix: add Mullvad Browser 2024-06-28 12:24:29 +02:00
Ben Grande
59fc487682
fix: bind wireguard configuration directory 2024-06-28 10:39:44 +02:00
Ben Grande
eb3a8ab324
feat: install Qusal TCP Proxy on updatevm's origin
Document qusal.ConnectTCP in dev's Access Control as it defaults to deny
and causes confusion to users why it doesn't work by default.  This is
an exception of the rule that a formula cannot document the RPC service
of another formula to avoid duplication.
2024-06-26 12:24:56 +02:00
Ben Grande
c2fc4b524a
feat: show origin template features of any class
For: https://github.com/ben-grande/qusal/issues/69
2024-06-26 10:10:27 +02:00
Ben Grande
4a72a48388
feat: deploy Qusal Builder configuration
For: https://github.com/ben-grande/qusal/issues/59
2024-06-26 00:18:44 +02:00
Ben Grande
d31699952c
doc: add browser isolation feature to design guide 2024-06-25 23:17:22 +02:00
Ben Grande
9c280689d8
refactor: prefer systemd sockets over socat
- Document preferred method for socket use depending on use case;
- Fix Github web-flow key;
- Standardize naming of services;
- Use sys-ssh in ansible formula;
- Start services conditionally with Qubes Service and evaluated by
  systemd ConditionPathExists= instead of installing on a per qube basis
  with rc.local scripts;
- Change Qusal services to "qusal-" prefix instead of "qubes-" prefix.

Fixes: https://github.com/ben-grande/qusal/issues/80
Fixes: https://github.com/ben-grande/qusal/issues/79
2024-06-25 22:16:26 +02:00
Ben Grande
3880a35cfa
fix: ansible references legacy zsh state
Fixes: https://github.com/ben-grande/qusal/issues/78
2024-06-25 09:17:16 +02:00
Ben Grande
4facf458b7
feat: use native TCP socket with Qrexec 2024-06-25 01:28:53 +02:00
Ben Grande
22e2a2e82c
chore: add copyright to systemd services 2024-06-24 17:44:35 +02:00
Ben Grande
d0ed3a8b82
fix: repository dir uses debug directory
Fixes: https://github.com/ben-grande/qusal/issues/76
2024-06-24 16:57:08 +02:00
Ben Grande
c7fb371189
fix: reference Salt dependency installation state
For: https://github.com/ben-grande/qusal/pull/75
2024-06-24 16:37:39 +02:00
Ben Grande
beaf07dde0
fix: include shell profile sourcer
Fixes: https://github.com/ben-grande/qusal/issues/73
2024-06-24 16:32:58 +02:00
Ben Grande
ab1438f4b5
fix: change Launchpad repository to HTTPS domain
Fixes: https://github.com/ben-grande/qusal/issues/72
2024-06-24 14:32:34 +02:00
Ben Grande
1bec52badc
fix: install correct repository for signal 2024-06-24 11:42:44 +02:00
Ben Grande
e9801c8535
feat: helper to show mgmt property information
For: https://github.com/ben-grande/qusal/issues/69
2024-06-24 11:14:31 +02:00
Ben Grande
620fa10a69
fix: shutdown template before install state
Template was not set to shutdown after patch to avoid double the amount
of startups at shutdown required due to the salt patch that a package
needs to be installed during the "create" state. Proven to cause
problems in case a qube based on the same template requires a package
that is installed during the "install" state. Other fedora-minimal
templates "mgmt" and "sys-pgp" are unaffected.

Fixes: https://github.com/ben-grande/qusal/issues/70
2024-06-24 08:38:56 +02:00
Ben Grande
15711c912f
fix: do not change kicksecure kernel by default
Fixes: https://github.com/ben-grande/qusal/issues/71
2024-06-24 08:34:28 +02:00
Ben Grande
e2791139ee
fix: build RPM contained in spec definitions
The spec-build.sh was necessary for a proper build, but it is not
correct to depend on external scripts to generate the correct
RPM_BUILD_ROOT files. Now everything is contained in the spec file. The
spec-build.sh can be used in the future to automate the process of
copying sources to the specified directory and signing, but not
modifying the sources contents on a per file basis.

For: https://github.com/ben-grande/qusal/issues/59
2024-06-24 08:24:48 +02:00
Ben Grande
f5528fec2e
fix: remove duplicated updates proxy feature
It should be disabled and is already present in the disabled section.

Fixes: https://github.com/ben-grande/qusal/issues/66
2024-06-22 12:48:46 +02:00
Ben Grande
a6194e0364
fix: remove cacher tag from Kicksecure template
Running apt-cacher-ng-repo is during update is unnecessary, the
install-repo macro already does it and the systemd service is run on
boot before Qrexec Agent starts.

Fixes: https://github.com/ben-grande/qusal/issues/66
2024-06-22 12:14:36 +02:00
Ben Grande
4276358a7e
feat: add development goodies to Qubes Builder 2024-06-22 10:31:02 +02:00
Ben Grande
7df3be4b78
fix: install caching client before common update
Cacher client installation state included in the common update state as
all qubes that updates with Qusal states use it, rather than including
it on all the installation states. The macro utils.macros.install-repo
still also run's apt-cacher-ng-repo in case the user is not updating at
that moment, just adding a new repository without restarting the qube
(systemd service has already ran).

Fixes: https://github.com/ben-grande/qusal/issues/66
2024-06-22 10:21:40 +02:00
Ben Grande
bd5c6353ec
fix: remove single quotes from Jinja regex
Unnecessary in this instance and salt trips with claiming to have found
"unknown escape character".

Fixes: https://github.com/ben-grande/qusal/issues/65
2024-06-21 19:59:01 +02:00