Commit Graph

37 Commits

Author SHA1 Message Date
Ben Grande
56a4296421
fix: skip YUM weak dependencies installation
Fixes: https://github.com/ben-grande/qusal/issues/96
2024-08-16 14:03:58 +02:00
Ben Grande
bdd4c789c1
fix: avoid echo usage
Echo can interpret operand as an option and checking every variable to
be echoed is troublesome while with printf, if the format specifier is
present before the operand, printing as string can be enforced.
2024-08-06 18:15:24 +02:00
Ben Grande
1b2f1ba941
fix: avoid operand evaluation as argument
Explicit end option parsing as the shell can be quite dangerous without
it.
2024-08-06 17:13:25 +02:00
Ben Grande
224312ed42
feat: enable all optional shellcheck validations
Make shell a little bit safer with:

- add-default-case
- check-extra-masked-returns
- check-set-e-suppressed
- quote-safe-variables
- check-unassigned-uppercase

Although there are some stylistic decisions for uniformity:

- avoid-nullary-conditions
- deprecated-which
- require-variable-braces
2024-07-10 14:36:05 +02:00
Ben Grande
ab044c15b1
feat: bump Pi-Hole version
Many of the Pi-Hole releases of this year were made due to security
vulnerabilities. None of them are to concern to Qusal users.

- GHSA-jg6g-rrj6-xfg6: Requires authenticated user;
- GHSA-95g6-7q26-mp9x: Requires authenticated user; and
- GHSA-3597-244c-wrpj: Requires shell in the same qube running Pi-Hole.

The admin interface is only allowed through localhost, therefore only
sys-pihole and sys-pihole-browser qubes have access to it, blocked by
firewall (nftables) and HTTP server (lighttpd). Qubes with access to the
admin interface are not of a concern, we assume that every qube that has
access to the admin interface is trusted, therefore, only if a qube
doesn't have access to the admin interface and can gain access, it
becomes a concern, which hasn't happened.
2024-07-07 15:26:52 +02:00
Ben Grande
14b389655b
feat: use ip interface group for faster evaluation 2024-07-05 12:00:22 +02:00
Ben Grande
383c840f2f
doc: lint markdown files
Only way to have a unified markdown syntax is to enforce the wanted
syntax by linting the files. Don't rely on the many markdown syntaxes,
be consistent.
2024-07-04 17:27:31 +02:00
Ben Grande
140b96b785
fix: remove expired GitHub web-flow signing key 2024-07-01 09:14:53 +02:00
Ben Grande
d31699952c
doc: add browser isolation feature to design guide 2024-06-25 23:17:22 +02:00
Ben Grande
9c280689d8
refactor: prefer systemd sockets over socat
- Document preferred method for socket use depending on use case;
- Fix Github web-flow key;
- Standardize naming of services;
- Use sys-ssh in ansible formula;
- Start services conditionally with Qubes Service and evaluated by
  systemd ConditionPathExists= instead of installing on a per qube basis
  with rc.local scripts;
- Change Qusal services to "qusal-" prefix instead of "qubes-" prefix.

Fixes: https://github.com/ben-grande/qusal/issues/80
Fixes: https://github.com/ben-grande/qusal/issues/79
2024-06-25 22:16:26 +02:00
Ben Grande
f5528fec2e
fix: remove duplicated updates proxy feature
It should be disabled and is already present in the disabled section.

Fixes: https://github.com/ben-grande/qusal/issues/66
2024-06-22 12:48:46 +02:00
Ben Grande
c84dfea48e
fix: generate RPM Specs for Qubes Builder V2
It doesn't checkout the current directory when querying the spec, so we
provide the already modified version of the spec.
2024-06-21 17:00:06 +02:00
Ben Grande
a564b3a703
feat: add TCP proxy for remote hosts
Ideally, it would be a Qrexec socket service, but it doesn't handle DNS,
only accepting IPs. The dev qube is now non-networked and network,
especially to remote git repositories can be acquired via the proxy that
is going to be installed in every netvm.
2024-06-13 18:01:08 +02:00
Ben Grande
d2771d5dd6
fix: guarantee states order dependent on browser 2024-06-09 12:50:53 +02:00
Ben Grande
44ea4c5db2
feat: add manual page reader
Ability to read the program's manual from the terminal is much better
than to ask the user to search the manual page on the internet, we
already trust the installed program and documentation, but we should not
trust every manual page on the internet.
2024-05-28 11:00:04 +02:00
Ben Grande
d1485990e4
doc: nested list indentation 2024-05-14 18:43:07 +02:00
Ben Grande
72f61bbbd9
fix: install fwupd qubes plugin to updatevm 2024-05-11 03:31:49 +02:00
Ben Grande
a8e918829d
feat: bump Pi-Hole and Bitcoin version 2024-04-12 18:13:55 +02:00
Ben Grande
f9ead06408 fix: remove extraneous package repository updates
Updates happens multiple times, normally 2 to 3, even if we consider a
state without includes. On states with multiple includes, it could
easily get approximately 10 updates being ran. This behavior leads to
unnecessary network bandwidth being spent and more time to run the
installation state. When the connection is slow and not using the
cacher, such as torified connections on Whonix, the installation can
occurs much faster.

Adding external repositories has to be done prior to update to ensure it
is also fetched.

Fixes: https://github.com/ben-grande/qusal/issues/29
2024-03-18 17:51:36 +01:00
Ben Grande
7c3d6ac7c0 fix: remove cacher proxy from updatevm
Git revision is specified in the git module to Salt not fail trying to
verify it is in HEAD when it is in a tag from a previous installation.

Fixes: https://github.com/ben-grande/qusal/issues/27
2024-03-14 16:53:23 +01:00
Ben Grande
5605ec7885 doc: prefix qubesctl with sudo
Fixes: https://github.com/ben-grande/qusal/issues/20
2024-02-23 16:55:11 +01:00
Ben Grande
6efcc1da77 chore: copyright update 2024-01-29 16:49:54 +01:00
Ben Grande
422b01e0f6 feat: remove audiovm setting when unnecessary
Decrease audio attack surface to qubes that will never need to use it.
2024-01-20 19:34:39 +01:00
Ben Grande
567e36d276 fix: prefer qvm-features for uniformity 2024-01-09 18:48:29 +01:00
Ben Grande
762f8be485 fix: make sys-pihole fully replace sys-firewall 2024-01-05 20:28:27 +01:00
Ben Grande
705808d8b6 feat: allow sys-pihole to use pi-hole for queries 2024-01-05 17:45:04 +01:00
Ben Grande
692659e22d feat: passwordless pihole admin interface
- Passwordless as it doesn't compromise security;
- Firewall blocks access to the interface in case the pihole is exposed
  to the internet;
- setupVars.conf needs to be 644 for non root commands to the pihole
  script to work, so the WEB_PASSWORD can be read as normal user,
  restricting root on pihole does not make sense, as it can modify the
  network setting via pihole web interface.
2024-01-05 16:32:42 +01:00
Ben Grande
6bb426a057 refactor: import armored gpg keys instead of db 2024-01-03 21:40:05 +01:00
Ben Grande
6a551eba67 refactor: pihole nft rules for Qubes 4.2 2023-12-26 19:50:31 +01:00
Ben Grande
224d2d5f69 fix: pihole lighttpd link 2023-12-24 21:23:29 +01:00
Ben Grande
6fc173d78d feat: clockvm also present in sys-pihole 2023-12-23 21:05:24 +01:00
Ben Grande
38d98ecb0d fix: nft shebang and table names 2023-12-20 16:49:58 +01:00
Ben Grande
71d22c54b6 refactor: reorder states to avoid race condition 2023-12-19 23:06:37 +01:00
Ben Grande
b4d142b640 refactor: move appended states to drop-in rc.local 2023-12-19 22:50:59 +01:00
Ben Grande
0751aff4b5 refactor: organize pihole directory structure 2023-12-19 21:55:45 +01:00
Ben Grande
963e72c7ed chore: Fix unman copyright contact 2023-11-13 18:18:06 +00:00
Ben Grande
5eebd789ed refactor: initial commit 2023-11-13 14:33:28 +00:00