Commit Graph

339 Commits

Author SHA1 Message Date
c0mmando
41c2100f0d
fix: remove typo in mullvad-browser install state
Fixes: https://github.com/ben-grande/qusal/pull/85
Signed-off-by: Ben Grande <ben.grande.b@gmail.com>
2024-07-01 10:55:23 +02:00
Ben Grande
140b96b785
fix: remove expired GitHub web-flow signing key 2024-07-01 09:14:53 +02:00
Ben Grande
54b07fb05e
doc: example to enable split-gpg2-client service
For: https://github.com/ben-grande/qusal/issues/83
2024-06-30 11:34:26 +02:00
Ben Grande
09bd216d79
fix: fold character that is not special for Jinja
Fixes: https://github.com/ben-grande/qusal/issues/82
2024-06-30 11:01:34 +02:00
Ben Grande
f903c0e3df
feat: get GUI user with salt modules 2024-06-28 19:28:49 +02:00
Ben Grande
077b21d3a4
feat: support browser installation on Fedora 2024-06-28 14:12:17 +02:00
Ben Grande
72068e8e9d
fix: add Mullvad Browser 2024-06-28 12:24:29 +02:00
Ben Grande
59fc487682
fix: bind wireguard configuration directory 2024-06-28 10:39:44 +02:00
Ben Grande
eb3a8ab324
feat: install Qusal TCP Proxy on updatevm's origin
Document qusal.ConnectTCP in dev's Access Control as it defaults to deny
and causes confusion to users why it doesn't work by default.  This is
an exception of the rule that a formula cannot document the RPC service
of another formula to avoid duplication.
2024-06-26 12:24:56 +02:00
Ben Grande
c2fc4b524a
feat: show origin template features of any class
For: https://github.com/ben-grande/qusal/issues/69
2024-06-26 10:10:27 +02:00
Ben Grande
4a72a48388
feat: deploy Qusal Builder configuration
For: https://github.com/ben-grande/qusal/issues/59
2024-06-26 00:18:44 +02:00
Ben Grande
d31699952c
doc: add browser isolation feature to design guide 2024-06-25 23:17:22 +02:00
Ben Grande
9c280689d8
refactor: prefer systemd sockets over socat
- Document preferred method for socket use depending on use case;
- Fix Github web-flow key;
- Standardize naming of services;
- Use sys-ssh in ansible formula;
- Start services conditionally with Qubes Service and evaluated by
  systemd ConditionPathExists= instead of installing on a per qube basis
  with rc.local scripts;
- Change Qusal services to "qusal-" prefix instead of "qubes-" prefix.

Fixes: https://github.com/ben-grande/qusal/issues/80
Fixes: https://github.com/ben-grande/qusal/issues/79
2024-06-25 22:16:26 +02:00
Ben Grande
3880a35cfa
fix: ansible references legacy zsh state
Fixes: https://github.com/ben-grande/qusal/issues/78
2024-06-25 09:17:16 +02:00
Ben Grande
4facf458b7
feat: use native TCP socket with Qrexec 2024-06-25 01:28:53 +02:00
Ben Grande
22e2a2e82c
chore: add copyright to systemd services 2024-06-24 17:44:35 +02:00
Ben Grande
d0ed3a8b82
fix: repository dir uses debug directory
Fixes: https://github.com/ben-grande/qusal/issues/76
2024-06-24 16:57:08 +02:00
Ben Grande
c7fb371189
fix: reference Salt dependency installation state
For: https://github.com/ben-grande/qusal/pull/75
2024-06-24 16:37:39 +02:00
Ben Grande
beaf07dde0
fix: include shell profile sourcer
Fixes: https://github.com/ben-grande/qusal/issues/73
2024-06-24 16:32:58 +02:00
Ben Grande
ab1438f4b5
fix: change Launchpad repository to HTTPS domain
Fixes: https://github.com/ben-grande/qusal/issues/72
2024-06-24 14:32:34 +02:00
Ben Grande
1bec52badc
fix: install correct repository for signal 2024-06-24 11:42:44 +02:00
Ben Grande
e9801c8535
feat: helper to show mgmt property information
For: https://github.com/ben-grande/qusal/issues/69
2024-06-24 11:14:31 +02:00
Ben Grande
620fa10a69
fix: shutdown template before install state
Template was not set to shutdown after patch to avoid double the amount
of startups at shutdown required due to the salt patch that a package
needs to be installed during the "create" state. Proven to cause
problems in case a qube based on the same template requires a package
that is installed during the "install" state. Other fedora-minimal
templates "mgmt" and "sys-pgp" are unaffected.

Fixes: https://github.com/ben-grande/qusal/issues/70
2024-06-24 08:38:56 +02:00
Ben Grande
15711c912f
fix: do not change kicksecure kernel by default
Fixes: https://github.com/ben-grande/qusal/issues/71
2024-06-24 08:34:28 +02:00
Ben Grande
e2791139ee
fix: build RPM contained in spec definitions
The spec-build.sh was necessary for a proper build, but it is not
correct to depend on external scripts to generate the correct
RPM_BUILD_ROOT files. Now everything is contained in the spec file. The
spec-build.sh can be used in the future to automate the process of
copying sources to the specified directory and signing, but not
modifying the sources contents on a per file basis.

For: https://github.com/ben-grande/qusal/issues/59
2024-06-24 08:24:48 +02:00
Ben Grande
f5528fec2e
fix: remove duplicated updates proxy feature
It should be disabled and is already present in the disabled section.

Fixes: https://github.com/ben-grande/qusal/issues/66
2024-06-22 12:48:46 +02:00
Ben Grande
a6194e0364
fix: remove cacher tag from Kicksecure template
Running apt-cacher-ng-repo is during update is unnecessary, the
install-repo macro already does it and the systemd service is run on
boot before Qrexec Agent starts.

Fixes: https://github.com/ben-grande/qusal/issues/66
2024-06-22 12:14:36 +02:00
Ben Grande
4276358a7e
feat: add development goodies to Qubes Builder 2024-06-22 10:31:02 +02:00
Ben Grande
7df3be4b78
fix: install caching client before common update
Cacher client installation state included in the common update state as
all qubes that updates with Qusal states use it, rather than including
it on all the installation states. The macro utils.macros.install-repo
still also run's apt-cacher-ng-repo in case the user is not updating at
that moment, just adding a new repository without restarting the qube
(systemd service has already ran).

Fixes: https://github.com/ben-grande/qusal/issues/66
2024-06-22 10:21:40 +02:00
Ben Grande
bd5c6353ec
fix: remove single quotes from Jinja regex
Unnecessary in this instance and salt trips with claiming to have found
"unknown escape character".

Fixes: https://github.com/ben-grande/qusal/issues/65
2024-06-21 19:59:01 +02:00
Ben Grande
c84dfea48e
fix: generate RPM Specs for Qubes Builder V2
It doesn't checkout the current directory when querying the spec, so we
provide the already modified version of the spec.
2024-06-21 17:00:06 +02:00
Ben Grande
0e2bb5b40b
fix: update dotfiles module 2024-06-20 22:32:35 +02:00
Ben Grande
7ab3b938f8
fix: correct upstream repository owner
For: https://github.com/ben-grande/qusal/issues/59
2024-06-20 18:09:27 +02:00
Ben Grande
ab56b5f3c8
feat: allow print calls from qubes with tag
Fixes: https://github.com/ben-grande/qusal/issues/63
2024-06-20 10:40:58 +02:00
Ben Grande
97b2496891
fix: start service after Qubes Service setup 2024-06-19 18:08:20 +02:00
Ben Grande
f30bd20f54
fix: Print server without RPC service
- Install RPC service to template;
- Move qube configuration to template configuration;
- Start server after the Qubes Services are created;
- Qrexec policy ask to both app and disposable qube; and
- Rename systemd service to qusal prefix instead of qubes.
2024-06-19 15:40:20 +02:00
Ben Grande
bf0a4bc914
fix: terminate option parsing for qvm commands 2024-06-19 15:12:22 +02:00
Ben Grande
99fb13856c
fix: correct git repository name in policy 2024-06-19 15:12:08 +02:00
Ben Grande
6ec0768f13
fix: clean Wireguard rules
- Remove OpenVPN code comments;
- Reorganize rules for easier reading;
- Server can connect without having client attached;
- Systemd service for easier monitoring of wg-quick; and
- Firewall also restarts wg-quick and apply new endpoint rules.
2024-06-19 15:08:03 +02:00
Ben Grande
f86e30a6b6
fix: add simple-scan to printer appmenus 2024-06-19 08:45:02 +02:00
Ben Grande
49a295dae9
fix: printer formula with conflicting IDs 2024-06-19 08:38:56 +02:00
Ben Grande
8d5c1c9bb4
chore: typo in date command 2024-06-18 10:45:47 +02:00
Ben Grande
43e1e320b3
feat: bump Bitcoin version 2024-06-17 21:52:30 +02:00
Ben Grande
b5ae2219e0
fix: update dotfiles module 2024-06-17 21:46:33 +02:00
Ben Grande
534db9655c
doc: qusal proxy service requires configuration
Fixes: https://github.com/ben-grande/qusal/issues/61
2024-06-17 21:46:21 +02:00
Ben Grande
1a72665a40
feat: add split-gpg2 configuration
Users must migrated their keys from ~/.gnupg to the value of
isolated_gnupg_homedirs.
2024-06-17 14:31:51 +02:00
Ben Grande
59e8fc32a0
fix: GUI Global Config precedes packaged policies 2024-06-17 11:36:39 +02:00
Ben Grande
faa00fbffa
doc: update table of contents 2024-06-16 10:45:42 +02:00
Ben Grande
fcad8cb3e1
feat: update dotfiles module 2024-06-14 19:16:20 +02:00
Ben Grande
ba5b4813f2
fix: signature check breaks qubes-builder update
The state module git.latest does not allow setting environment variable
for us to set the correct GNUPGHOME. The module environ.set does not
work as we call git as the normal user and not as root, but may still be
the problem of git.latest not respecting environment variables.

The problem with always pulling new commits is that it may conflict with
the current work the user has done on the repository locally. It will
also not work in case the last commit is not signed by a trusted key
deployed by the formula, in this case, you should add the key manually
to verify the commit.

Setting the gpg.program only for the required repositories solves the
aforementioned problem and also enhances usability by removing extra
commands that the user needs to learn and remember.

Fixes: https://github.com/ben-grande/qusal/issues/58
2024-06-14 19:11:16 +02:00
Ben Grande
afcb73085f
doc: document usage of qusal TCP proxy 2024-06-14 07:42:18 +02:00
Ben Grande
e1a15d8a7e
fix: pgp template is fedora based without salt fix 2024-06-14 07:36:41 +02:00
Ben Grande
3ece491564
fix: wrong video-companion package name for dom0 2024-06-14 07:35:22 +02:00
Ben Grande
a564b3a703
feat: add TCP proxy for remote hosts
Ideally, it would be a Qrexec socket service, but it doesn't handle DNS,
only accepting IPs. The dev qube is now non-networked and network,
especially to remote git repositories can be acquired via the proxy that
is going to be installed in every netvm.
2024-06-13 18:01:08 +02:00
Ben Grande
7a70535553
fix: Fedora 40 only has wget2
The wget package can be downloaded from the command-line, but as Salt
does not follow DNF package redirects, the package is installed but the
state fails as Salt cannot find a package with the same name installed.
2024-06-13 14:01:35 +02:00
Ben Grande
e65b0bfde9
fix: feature check statement missing key 2024-06-13 14:01:04 +02:00
Ben Grande
75d992b041
fix: use Admin API for fast queries 2024-06-13 13:29:30 +02:00
Ben Grande
13c57939a7
fix: uninstall cacher client with tag in pillar
Targeting only qubes with the tag on the installation instructions is
still useful as it is faster than targeting all qubes.

Fixes: https://github.com/ben-grande/qusal/issues/41
2024-06-13 13:28:24 +02:00
Ben Grande
6e7774a27f
feat: bump Fedora version 2024-06-12 15:00:59 +02:00
Ben Grande
fc22726ee8
feat: build and sign RPM packages
Passing files to Dom0 is always dangerous:

- Passing a git repository is dangerous as it can have ignored modified
  files and signature verification will pass.
- Passing an archive is troublesome for updates.
- Passing an RPM package depends on the RPM verification to be correct,
  some times it is not.
- Passing a RPM repository definition is less troublesome for the user,
  as it is a small file to verify the contents and update mechanism is
  via the package manager. Trust in RPM verification is still required.

Many improvements were made to the build scripts:

- requires-program: Single function to check if program is installed;
- spec-get: Sort project names for the usage message;
- spec-get: Only running commands that are necessary;
- spec-get: Fix empty summary when readme has copyright header;
- spec-gen: Fix grep warning of escaped symbol;
- spec-build: Sign RPM and verify signature;
- spec-build: Only lint the first SPEC for faster runtime;
- yumrepo-gen: Generate a local yum repository with signed metadata;
- qubesbuilder-gen: Generate a .qubesbuilder based on tracked projects;
- release: Build, sign and push all RPMs to repository.

Goal is to be able to build with qubes-builderv2 Qubes Executor.

For: https://github.com/ben-grande/qusal/issues/37
2024-06-12 14:44:04 +02:00
Ben Grande
10200f609e
fix: rpmmacros is unnecessary with split-gpg2 2024-06-12 11:32:43 +02:00
Ben Grande
ffe03ba02a
fix: set global prefs for management_dispvm 2024-06-10 19:39:08 +02:00
Ben Grande
c456af2718
fix: remove duplicated Fedora mirrors 2024-06-10 19:15:14 +02:00
Ben Grande
8ae815de71
fix: run repo rewriter after upstream proxy update
Rewriter depends on the check of qubes-services and must be run after
/usr/lib/qubes/init/misc-post.sh.
2024-06-10 19:02:07 +02:00
Ben Grande
b4de619197
fix: update Debian and Fedora mirrors 2024-06-10 13:57:18 +02:00
Ben Grande
2b181f854a
fix: merge Qubes OS repositories
Only deb and rpm where cached and only if used from the Qubes website
and made to individual directories. Now every package from every package
manager Qubes supports will be cached.

Update according to upstream.
2024-06-10 13:56:59 +02:00
Ben Grande
fcf7fe9623
fix: guarantee a fully updated system on bootstrap
If user just installed Qubes, the full templates can have updates
available. If user restored backups of templates and standalones, they
could also have updates available. Available updates can contain fixes
that if not applied, can make the states fail, such as a buggy salt
package and Qrexec service that can make a state fail in case the
full outdated templates and standalones are responsible for the
functionality specially of management_dispvm, updatevm, default_netvm
and qubes.UpdatesProxy service.
2024-06-09 12:55:48 +02:00
Ben Grande
d2771d5dd6
fix: guarantee states order dependent on browser 2024-06-09 12:50:53 +02:00
Ben Grande
899f7e49b1
fix: add Fedora 40 Firefox desktop file to appmenu
Fixes: https://github.com/ben-grande/qusal/issues/52
2024-06-09 12:36:39 +02:00
Ben Grande
1003d62995
fix: KDE with outdated require id 2024-06-08 06:17:09 +02:00
Ben Grande
c7c85fbcb4
fix: more restrictive Qrexec audio policy 2024-06-07 16:51:43 +02:00
Ben Grande
efc3984df3
feat: allow terminal and file manager choice
The gnome-terminal can't start as root, related to dbus.
2024-06-07 15:27:44 +02:00
Ben Grande
bb384403ad
feat: revive caching of Fedora qubes
- Update with cacher upstream changes;
- Fix README command typos;
- Restore Fedora functionality;
- Update mirror list;
- Move repository definitions to separate files for readability; and
- Add Tailscale and Blackarch repository.
2024-06-07 15:01:16 +02:00
Ben Grande
29601d8df8
doc: refer to video-companion for sys-usb webcam 2024-06-04 19:59:45 +02:00
Ben Grande
8d9ad740a8
fix: correct man-db typo
Fixes: https://github.com/ben-grande/qusal/issues/56
2024-06-04 19:58:36 +02:00
Ben Grande
7873dd8673
fix: remove undesired appmenus from builder qubes 2024-06-04 13:54:48 +02:00
Ben Grande
6e8541672f
feat: add disposable qubes to bitcoin clients 2024-06-04 11:00:06 +02:00
Ben Grande
a4848e1932
fix: update dotfiles module 2024-06-04 10:59:32 +02:00
Ben Grande
34d5d36518
feat: add state for desktop i3 and AwesomeWM 2024-06-04 10:43:16 +02:00
Ben Grande
0c9b173e2c
feat: add Qubes Video Companion formula
Fixes: https://github.com/ben-grande/qusal/issues/49
2024-05-30 16:07:53 +02:00
Ben Grande
bb4dcbbe8f
fix: cacher: restrict install to supported clients
- Enforce uninstall in Fedora, it has been too problematic due to zchunk
  checksum mismatch errors;
- Skip tagging and installing on unsupported qubes, before it tagged
  every template that did not have the tag 'whonix-updatevm', this is
  error prone as it would fail the installation on unsupported clients
  such as Gentoo, Mirage.

Fixes: https://github.com/ben-grande/qusal/issues/54
2024-05-29 18:29:27 +02:00
Ben Grande
9cb7d72044
fix: cacher: use systemd service drop-in directory 2024-05-29 13:56:46 +02:00
Ben Grande
df698b499f
fix: bump Ansible repository codename 2024-05-29 11:35:37 +02:00
Ben Grande
8accc47d99
fix: remove old deb repository list format 2024-05-29 11:34:17 +02:00
Ben Grande
a2e1972389
fix: cache Mozilla and Element repository 2024-05-29 09:55:38 +02:00
Ben Grande
bc8213b8ce
fix: split-gpg2 fedora clashes with debian agent
Fixes: https://github.com/ben-grande/qusal/issues/53
2024-05-28 15:04:20 +02:00
Ben Grande
44ea4c5db2
feat: add manual page reader
Ability to read the program's manual from the terminal is much better
than to ask the user to search the manual page on the internet, we
already trust the installed program and documentation, but we should not
trust every manual page on the internet.
2024-05-28 11:00:04 +02:00
Ben Grande
26a35b838f
feat: add Element formula 2024-05-28 09:57:55 +02:00
Ben Grande
efcf8c7723
fix: unify screenshot tool existence logic
Fixes: https://github.com/ben-grande/qusal/issues/51
2024-05-24 23:30:43 +02:00
Ben Grande
444672e999
fix: prefer maim for screenshot
- Maim causes no errors and has region and window capabilities;
- Scrot region capture puts some weird borders when dragging the mouse;
- Spectacle allows editing but is too feature rich (complicated); and
- Xfce4-screenshooter does not allow selecting both region and window.

Fixes: https://github.com/ben-grande/qusal/issues/51
2024-05-24 22:56:32 +02:00
Ben Grande
b09ecdceb9
feat: add Print formula 2024-05-24 15:39:22 +02:00
Ben Grande
cbf61e674e
feat: add Firefox browser from Mozilla repository 2024-05-24 13:53:17 +02:00
Ben Grande
c8b9bb3198
feat: bump Electrs version 2024-05-23 12:05:12 +02:00
Ben Grande
b2c9479e50
fix: enforce https on repository installation
Previously was just http to allow for caching and non-caching of
packages. Currently, a client tool exists to rewrite repository
definitions.
2024-05-16 18:57:59 +02:00
Ben Grande
d4c3fb11d3
feat: add terraform and chrome fedora repositories 2024-05-16 18:24:03 +02:00
Ben Grande
3adc241500
fix: renew keys and delete expired ones
For: https://github.com/ben-grande/qusal/issues/46
2024-05-15 17:06:26 +02:00
Ben Grande
d1485990e4
doc: nested list indentation 2024-05-14 18:43:07 +02:00
Ben Grande
72f61bbbd9
fix: install fwupd qubes plugin to updatevm 2024-05-11 03:31:49 +02:00
Ben Grande
bfb3026dc1
fix: update mirage firewall version 2024-05-11 02:54:52 +02:00
Ben Grande
972ac77bc2
fix: install libpci by default on sys-net
It is not possible to troubleshoot network module loading without
pciutils. Although it is a troubleshooting tools, it is not
troubleshooting the network, but to make the system itself be able to
load kernel modules and reach the network, therefore necessary.
2024-05-02 19:33:32 +02:00