Commit Graph

17 Commits

Author SHA1 Message Date
Ben Grande
56a4296421
fix: skip YUM weak dependencies installation
Fixes: https://github.com/ben-grande/qusal/issues/96
2024-08-16 14:03:58 +02:00
Ben Grande
ab044c15b1
feat: bump Pi-Hole version
Many of the Pi-Hole releases of this year were made due to security
vulnerabilities. None of them are to concern to Qusal users.

- GHSA-jg6g-rrj6-xfg6: Requires authenticated user;
- GHSA-95g6-7q26-mp9x: Requires authenticated user; and
- GHSA-3597-244c-wrpj: Requires shell in the same qube running Pi-Hole.

The admin interface is only allowed through localhost, therefore only
sys-pihole and sys-pihole-browser qubes have access to it, blocked by
firewall (nftables) and HTTP server (lighttpd). Qubes with access to the
admin interface are not of a concern, we assume that every qube that has
access to the admin interface is trusted, therefore, only if a qube
doesn't have access to the admin interface and can gain access, it
becomes a concern, which hasn't happened.
2024-07-07 15:26:52 +02:00
Ben Grande
a564b3a703
feat: add TCP proxy for remote hosts
Ideally, it would be a Qrexec socket service, but it doesn't handle DNS,
only accepting IPs. The dev qube is now non-networked and network,
especially to remote git repositories can be acquired via the proxy that
is going to be installed in every netvm.
2024-06-13 18:01:08 +02:00
Ben Grande
44ea4c5db2
feat: add manual page reader
Ability to read the program's manual from the terminal is much better
than to ask the user to search the manual page on the internet, we
already trust the installed program and documentation, but we should not
trust every manual page on the internet.
2024-05-28 11:00:04 +02:00
Ben Grande
72f61bbbd9
fix: install fwupd qubes plugin to updatevm 2024-05-11 03:31:49 +02:00
Ben Grande
a8e918829d
feat: bump Pi-Hole and Bitcoin version 2024-04-12 18:13:55 +02:00
Ben Grande
f9ead06408 fix: remove extraneous package repository updates
Updates happens multiple times, normally 2 to 3, even if we consider a
state without includes. On states with multiple includes, it could
easily get approximately 10 updates being ran. This behavior leads to
unnecessary network bandwidth being spent and more time to run the
installation state. When the connection is slow and not using the
cacher, such as torified connections on Whonix, the installation can
occurs much faster.

Adding external repositories has to be done prior to update to ensure it
is also fetched.

Fixes: https://github.com/ben-grande/qusal/issues/29
2024-03-18 17:51:36 +01:00
Ben Grande
7c3d6ac7c0 fix: remove cacher proxy from updatevm
Git revision is specified in the git module to Salt not fail trying to
verify it is in HEAD when it is in a tag from a previous installation.

Fixes: https://github.com/ben-grande/qusal/issues/27
2024-03-14 16:53:23 +01:00
Ben Grande
6efcc1da77 chore: copyright update 2024-01-29 16:49:54 +01:00
Ben Grande
692659e22d feat: passwordless pihole admin interface
- Passwordless as it doesn't compromise security;
- Firewall blocks access to the interface in case the pihole is exposed
  to the internet;
- setupVars.conf needs to be 644 for non root commands to the pihole
  script to work, so the WEB_PASSWORD can be read as normal user,
  restricting root on pihole does not make sense, as it can modify the
  network setting via pihole web interface.
2024-01-05 16:32:42 +01:00
Ben Grande
6bb426a057 refactor: import armored gpg keys instead of db 2024-01-03 21:40:05 +01:00
Ben Grande
6a551eba67 refactor: pihole nft rules for Qubes 4.2 2023-12-26 19:50:31 +01:00
Ben Grande
224d2d5f69 fix: pihole lighttpd link 2023-12-24 21:23:29 +01:00
Ben Grande
6fc173d78d feat: clockvm also present in sys-pihole 2023-12-23 21:05:24 +01:00
Ben Grande
0751aff4b5 refactor: organize pihole directory structure 2023-12-19 21:55:45 +01:00
Ben Grande
963e72c7ed chore: Fix unman copyright contact 2023-11-13 18:18:06 +00:00
Ben Grande
5eebd789ed refactor: initial commit 2023-11-13 14:33:28 +00:00