Many of the Pi-Hole releases of this year were made due to security
vulnerabilities. None of them are to concern to Qusal users.
- GHSA-jg6g-rrj6-xfg6: Requires authenticated user;
- GHSA-95g6-7q26-mp9x: Requires authenticated user; and
- GHSA-3597-244c-wrpj: Requires shell in the same qube running Pi-Hole.
The admin interface is only allowed through localhost, therefore only
sys-pihole and sys-pihole-browser qubes have access to it, blocked by
firewall (nftables) and HTTP server (lighttpd). Qubes with access to the
admin interface are not of a concern, we assume that every qube that has
access to the admin interface is trusted, therefore, only if a qube
doesn't have access to the admin interface and can gain access, it
becomes a concern, which hasn't happened.
In case user configured Wireguard but there are no clients connected,
network hooks are never run and no domains can be resolved from the
sys-wireguard qube itself, therefore using Qrexec services to resolve
DNS in sys-wireguard hooks doesn't work and depended on connected
clients.
If Wireguard systemd service wasn't run, the nameserver will be empty
and that is not a problem.
In case user hasn't configured the Wireguard configuration correctly,
drop all connections.
Only way to have a unified markdown syntax is to enforce the wanted
syntax by linting the files. Don't rely on the many markdown syntaxes,
be consistent.
- git-send-email was implemented for a future RPC service for SMTP that
was never created and can have some risks. As dev has no networking by
default and the service was never created, removing it;
- git and gnupg already present in the included states;
- remove commented code; and
- move separate salt state to default installation as it only contains a
single package that is not troublesome.
Document qusal.ConnectTCP in dev's Access Control as it defaults to deny
and causes confusion to users why it doesn't work by default. This is
an exception of the rule that a formula cannot document the RPC service
of another formula to avoid duplication.
- Document preferred method for socket use depending on use case;
- Fix Github web-flow key;
- Standardize naming of services;
- Use sys-ssh in ansible formula;
- Start services conditionally with Qubes Service and evaluated by
systemd ConditionPathExists= instead of installing on a per qube basis
with rc.local scripts;
- Change Qusal services to "qusal-" prefix instead of "qubes-" prefix.
Fixes: https://github.com/ben-grande/qusal/issues/80
Fixes: https://github.com/ben-grande/qusal/issues/79
Template was not set to shutdown after patch to avoid double the amount
of startups at shutdown required due to the salt patch that a package
needs to be installed during the "create" state. Proven to cause
problems in case a qube based on the same template requires a package
that is installed during the "install" state. Other fedora-minimal
templates "mgmt" and "sys-pgp" are unaffected.
Fixes: https://github.com/ben-grande/qusal/issues/70
The spec-build.sh was necessary for a proper build, but it is not
correct to depend on external scripts to generate the correct
RPM_BUILD_ROOT files. Now everything is contained in the spec file. The
spec-build.sh can be used in the future to automate the process of
copying sources to the specified directory and signing, but not
modifying the sources contents on a per file basis.
For: https://github.com/ben-grande/qusal/issues/59
Running apt-cacher-ng-repo is during update is unnecessary, the
install-repo macro already does it and the systemd service is run on
boot before Qrexec Agent starts.
Fixes: https://github.com/ben-grande/qusal/issues/66
Cacher client installation state included in the common update state as
all qubes that updates with Qusal states use it, rather than including
it on all the installation states. The macro utils.macros.install-repo
still also run's apt-cacher-ng-repo in case the user is not updating at
that moment, just adding a new repository without restarting the qube
(systemd service has already ran).
Fixes: https://github.com/ben-grande/qusal/issues/66