Ben Grande
80638d64b5
feat: port forwarder
...
If persistent rules are chosen, it can deal with disposable sys-net, but
not with disposable sys-firewall, as the qube ip will change, the rule
won't work. Applying the rule to the disposable template is a "try it
all", but it's usage is discouraged.
2024-01-16 00:15:29 +01:00
Ben Grande
c3937e881e
fix: disposable sys-audio name with disp prefix
2024-01-14 14:05:17 +01:00
Ben Grande
ff4773bf8e
doc: kicksecure missing minimal flavor
2024-01-14 08:52:24 +01:00
Ben Grande
23a569d4e1
fix: install less browser packages in reader
...
The state browse.install installs extraneous packages that we won't
need for an untrusted environment, such as USB and audio support.
2024-01-12 19:47:52 +01:00
Ben Grande
2576d14448
fix: policy file mode not allowing group to write
2024-01-12 19:44:55 +01:00
Ben Grande
ac25ef6b87
fix: sys-usb hide-usb-from-dom0 in keyboard state
2024-01-12 19:08:56 +01:00
Ben Grande
8d7c0a2d0b
fix: sys-cacher policy with the new tag name
2024-01-12 18:34:04 +01:00
Ben Grande
2063a4328c
fix: clone macro support for optional argument
2024-01-12 18:22:33 +01:00
Ben Grande
6eefceda74
fix: sys-usb disposables must have name prefix
2024-01-12 18:22:18 +01:00
Ben Grande
6828e83dde
fix: update dotfiles module
2024-01-12 18:00:40 +01:00
Ben Grande
7eb1f34f73
feat: disposable mirage firewall
2024-01-12 17:58:56 +01:00
Ben Grande
5502103901
fix: separate template formula per flavor
...
Default template flavor is Gnome, installing Xfce when requesting the
template formula without flavor causes confusion.
2024-01-12 17:47:21 +01:00
Ben Grande
233ac76bcb
fix: sys-cacher tag compliance with default tags
...
The default tags start with the capability than the qube name, such as
audiovm-dom0 and guivm-dom0.
2024-01-12 17:30:29 +01:00
Ben Grande
5e5ae2f704
fix: zsh state import with relative path
...
Relative path only works well if it is on the salt root.
2024-01-12 17:24:43 +01:00
Ben Grande
a97e3c0c8a
feat: kicksecure minimal template
2024-01-12 17:24:31 +01:00
Ben Grande
2b6daac8a9
fix: shellcheck
2024-01-10 14:31:57 +01:00
Ben Grande
040594ae74
fix: do not remove created dvm
...
The removal was first implemented to get a clean state of the qube, but
there are side effects, it fails if the user created a named disposable
based on the dvm and also removes the (dvm) entry from the appmenu.
The sys-usb case is a workaround in case the user selected a
non-disposable, an appvm sys-usb during system installation.
2024-01-10 14:27:44 +01:00
Ben Grande
5b9b0bba5b
doc: missing access control for sys-usb
2024-01-10 12:50:02 +01:00
Ben Grande
76e9234c83
fix: organize sys-usb policy per service
2024-01-10 12:49:20 +01:00
Ben Grande
567e36d276
fix: prefer qvm-features for uniformity
2024-01-09 18:48:29 +01:00
Ben Grande
a3829e46ae
feat: policy support for multiple sys-usb qubes
2024-01-09 18:44:50 +01:00
Ben Grande
f5894dc6fc
doc: cleaner usage sections for qubes-builder
2024-01-08 20:08:54 +01:00
Ben Grande
c306047f1e
fix: sys-wireguard compatible with Qubes 4.2
2024-01-08 20:07:20 +01:00
Ben Grande
42a93093dd
fix: rpc service copy to dvm
...
Upstream-commit: 7c37bb7bd65ad3a183790ad07344729504bc0930
2024-01-07 20:20:54 +01:00
Ben Grande
762f8be485
fix: make sys-pihole fully replace sys-firewall
2024-01-05 20:28:27 +01:00
Ben Grande
705808d8b6
feat: allow sys-pihole to use pi-hole for queries
2024-01-05 17:45:04 +01:00
Ben Grande
a17f9f5250
feat: unattended qubes-builder build
...
Split-gpg2 allows to isolate GPG home directories. In the future,
enforcing this setting via drop-in configuration would be safer, depends
on https://github.com/QubesOS/qubes-issues/issues/8792 .
2024-01-05 17:24:14 +01:00
Ben Grande
692659e22d
feat: passwordless pihole admin interface
...
- Passwordless as it doesn't compromise security;
- Firewall blocks access to the interface in case the pihole is exposed
to the internet;
- setupVars.conf needs to be 644 for non root commands to the pihole
script to work, so the WEB_PASSWORD can be read as normal user,
restricting root on pihole does not make sense, as it can modify the
network setting via pihole web interface.
2024-01-05 16:32:42 +01:00
Ben Grande
417843ba75
feat: remove extraneous passwordless root
2024-01-05 12:03:23 +01:00
Ben Grande
c1094046ee
fix: add user to mock group
2024-01-05 11:07:27 +01:00
Ben Grande
41b71eed46
doc: update README.md
2024-01-04 22:05:35 +01:00
Ben Grande
0216297ee6
feat: default to disposable netvm
...
- Default sys-net and sys-firewall to disposable;
- Set global and per vm preferences by starting the qubes or shutting
down them when necessary; and
- Less manual steps remaining for the user: just rename the net qube, as
it can only be done via Qubes Manager.
2024-01-04 21:59:15 +01:00
Ben Grande
8a8252d6f0
fix: changes default template flavor to Xfce
2024-01-04 18:01:21 +01:00
Ben Grande
e0b11b3daf
fix: do not install net debug tools by default
2024-01-04 17:25:16 +01:00
Ben Grande
e167879cfb
doc: sys-audio usage
2024-01-04 15:17:20 +01:00
Ben Grande
767fc42523
fix: allow to attach mic with sys-audio
2024-01-04 12:20:13 +01:00
Ben Grande
6bb426a057
refactor: import armored gpg keys instead of db
2024-01-03 21:40:05 +01:00
Ben Grande
0eecbcffc4
fix: unconfined qfile-unpacker
...
Upstream-commit: 0648b2329f0d142a2e24ecf376b28603fb04abb4
2024-01-03 14:35:06 +01:00
Ben Grande
083285901c
fix: remove old split-gpg from qubes-builder
2024-01-03 14:29:49 +01:00
Ben Grande
ca95f435c8
doc: sys-audio compatible with Qubes 4.2
2024-01-03 12:34:48 +01:00
Ben Grande
2283b3368e
fix: sys-audio policy and autostart pacat daemon
2024-01-03 11:47:13 +01:00
Ben Grande
0e05c097c2
fix: missing reuse license information
2024-01-02 23:09:34 +01:00
Ben Grande
4de0f3ff9f
doc: inform how to bootstrap a new system
2024-01-02 23:04:36 +01:00
Ben Grande
d939d4aa26
fix: signal state uses idempotent state
2024-01-02 23:03:10 +01:00
Ben Grande
f32a14c422
fix: autostart volumeicon
2024-01-02 23:01:58 +01:00
Ben Grande
b86486a793
feat: qubes-vm-update global settings
2024-01-02 18:04:54 +01:00
Ben Grande
ed4fe70980
fix: customize sys-whonix
...
- autostart set to false;
- lower vcpus available;
- lower total memory; and
- use state provided by upstream;
2023-12-31 07:52:38 +01:00
Ben Grande
e2c24ec78e
style: client state ID must conform to order
2023-12-31 07:50:03 +01:00
Ben Grande
ec9142bf27
fix: pci regain with invalid syntax
2023-12-31 07:49:25 +01:00
Ben Grande
81f8c56a76
fix: install missing packages to audio client
2023-12-31 07:48:29 +01:00