Commit Graph

306 Commits

Author SHA1 Message Date
Ben Grande
a6194e0364
fix: remove cacher tag from Kicksecure template
Running apt-cacher-ng-repo is during update is unnecessary, the
install-repo macro already does it and the systemd service is run on
boot before Qrexec Agent starts.

Fixes: https://github.com/ben-grande/qusal/issues/66
2024-06-22 12:14:36 +02:00
Ben Grande
19ea24da5c
ci: remove python flag of externally managed env 2024-06-22 12:02:46 +02:00
Ben Grande
fef12eb573
ci: skip pip error externally managed environment 2024-06-22 11:49:24 +02:00
Ben Grande
c7ed34e99f
ci: run on a fixed version of hosted runner
Github delays the -latest tag for some months, set the latest version
manually.
2024-06-22 10:37:20 +02:00
Ben Grande
2c2ba4f5f5
doc: add new documentation to issue commitment 2024-06-22 10:31:19 +02:00
Ben Grande
4276358a7e
feat: add development goodies to Qubes Builder 2024-06-22 10:31:02 +02:00
Ben Grande
7df3be4b78
fix: install caching client before common update
Cacher client installation state included in the common update state as
all qubes that updates with Qusal states use it, rather than including
it on all the installation states. The macro utils.macros.install-repo
still also run's apt-cacher-ng-repo in case the user is not updating at
that moment, just adding a new repository without restarting the qube
(systemd service has already ran).

Fixes: https://github.com/ben-grande/qusal/issues/66
2024-06-22 10:21:40 +02:00
Ben Grande
312b871bd7
ci: pass pre-commit script argument on its own key 2024-06-22 09:10:21 +02:00
Ben Grande
bd5c6353ec
fix: remove single quotes from Jinja regex
Unnecessary in this instance and salt trips with claiming to have found
"unknown escape character".

Fixes: https://github.com/ben-grande/qusal/issues/65
2024-06-21 19:59:01 +02:00
Ben Grande
c84dfea48e
fix: generate RPM Specs for Qubes Builder V2
It doesn't checkout the current directory when querying the spec, so we
provide the already modified version of the spec.
2024-06-21 17:00:06 +02:00
Ben Grande
7aee0c44d8
doc: move contribution guide to docs directory 2024-06-21 14:27:21 +02:00
Ben Grande
fd9476c613
doc: move installation section to docs directory 2024-06-21 14:24:31 +02:00
Ben Grande
0e2bb5b40b
fix: update dotfiles module 2024-06-20 22:32:35 +02:00
Ben Grande
7ab3b938f8
fix: correct upstream repository owner
For: https://github.com/ben-grande/qusal/issues/59
2024-06-20 18:09:27 +02:00
Ben Grande
8640b6d11b
feat: add Qubes Builder configuration
For: https://github.com/ben-grande/qusal/issues/59
2024-06-20 17:54:40 +02:00
Ben Grande
ab56b5f3c8
feat: allow print calls from qubes with tag
Fixes: https://github.com/ben-grande/qusal/issues/63
2024-06-20 10:40:58 +02:00
Ben Grande
97b2496891
fix: start service after Qubes Service setup 2024-06-19 18:08:20 +02:00
Ben Grande
f30bd20f54
fix: Print server without RPC service
- Install RPC service to template;
- Move qube configuration to template configuration;
- Start server after the Qubes Services are created;
- Qrexec policy ask to both app and disposable qube; and
- Rename systemd service to qusal prefix instead of qubes.
2024-06-19 15:40:20 +02:00
Ben Grande
bf0a4bc914
fix: terminate option parsing for qvm commands 2024-06-19 15:12:22 +02:00
Ben Grande
99fb13856c
fix: correct git repository name in policy 2024-06-19 15:12:08 +02:00
Ben Grande
6ec0768f13
fix: clean Wireguard rules
- Remove OpenVPN code comments;
- Reorganize rules for easier reading;
- Server can connect without having client attached;
- Systemd service for easier monitoring of wg-quick; and
- Firewall also restarts wg-quick and apply new endpoint rules.
2024-06-19 15:08:03 +02:00
Ben Grande
f86e30a6b6
fix: add simple-scan to printer appmenus 2024-06-19 08:45:02 +02:00
Ben Grande
49a295dae9
fix: printer formula with conflicting IDs 2024-06-19 08:38:56 +02:00
Ben Grande
ec8a9f8003
doc: add troubleshooting guide 2024-06-18 15:16:46 +02:00
Ben Grande
8d5c1c9bb4
chore: typo in date command 2024-06-18 10:45:47 +02:00
Ben Grande
43e1e320b3
feat: bump Bitcoin version 2024-06-17 21:52:30 +02:00
Ben Grande
b5ae2219e0
fix: update dotfiles module 2024-06-17 21:46:33 +02:00
Ben Grande
534db9655c
doc: qusal proxy service requires configuration
Fixes: https://github.com/ben-grande/qusal/issues/61
2024-06-17 21:46:21 +02:00
Ben Grande
1a72665a40
feat: add split-gpg2 configuration
Users must migrated their keys from ~/.gnupg to the value of
isolated_gnupg_homedirs.
2024-06-17 14:31:51 +02:00
Ben Grande
59e8fc32a0
fix: GUI Global Config precedes packaged policies 2024-06-17 11:36:39 +02:00
Ben Grande
faa00fbffa
doc: update table of contents 2024-06-16 10:45:42 +02:00
Ben Grande
ff41103194
build: spec scriptlet fails when it is empty
Echoing the word true was getting evaluated instead of being assigned as
a string.
2024-06-14 19:22:43 +02:00
Ben Grande
fcad8cb3e1
feat: update dotfiles module 2024-06-14 19:16:20 +02:00
Ben Grande
ba5b4813f2
fix: signature check breaks qubes-builder update
The state module git.latest does not allow setting environment variable
for us to set the correct GNUPGHOME. The module environ.set does not
work as we call git as the normal user and not as root, but may still be
the problem of git.latest not respecting environment variables.

The problem with always pulling new commits is that it may conflict with
the current work the user has done on the repository locally. It will
also not work in case the last commit is not signed by a trusted key
deployed by the formula, in this case, you should add the key manually
to verify the commit.

Setting the gpg.program only for the required repositories solves the
aforementioned problem and also enhances usability by removing extra
commands that the user needs to learn and remember.

Fixes: https://github.com/ben-grande/qusal/issues/58
2024-06-14 19:11:16 +02:00
Ben Grande
afcb73085f
doc: document usage of qusal TCP proxy 2024-06-14 07:42:18 +02:00
Ben Grande
e1a15d8a7e
fix: pgp template is fedora based without salt fix 2024-06-14 07:36:41 +02:00
Ben Grande
3ece491564
fix: wrong video-companion package name for dom0 2024-06-14 07:35:22 +02:00
Ben Grande
a564b3a703
feat: add TCP proxy for remote hosts
Ideally, it would be a Qrexec socket service, but it doesn't handle DNS,
only accepting IPs. The dev qube is now non-networked and network,
especially to remote git repositories can be acquired via the proxy that
is going to be installed in every netvm.
2024-06-13 18:01:08 +02:00
Ben Grande
61e968cd7b
build: set values for reproducibility 2024-06-13 14:10:22 +02:00
Ben Grande
3c2bba2a9a
build: quiet build and verbose changelog 2024-06-13 14:03:16 +02:00
Ben Grande
7a70535553
fix: Fedora 40 only has wget2
The wget package can be downloaded from the command-line, but as Salt
does not follow DNF package redirects, the package is installed but the
state fails as Salt cannot find a package with the same name installed.
2024-06-13 14:01:35 +02:00
Ben Grande
e65b0bfde9
fix: feature check statement missing key 2024-06-13 14:01:04 +02:00
Ben Grande
75d992b041
fix: use Admin API for fast queries 2024-06-13 13:29:30 +02:00
Ben Grande
13c57939a7
fix: uninstall cacher client with tag in pillar
Targeting only qubes with the tag on the installation instructions is
still useful as it is faster than targeting all qubes.

Fixes: https://github.com/ben-grande/qusal/issues/41
2024-06-13 13:28:24 +02:00
Ben Grande
fe996b3a35
ci: untracked readme is an untracked project 2024-06-13 13:14:41 +02:00
Ben Grande
6e7774a27f
feat: bump Fedora version 2024-06-12 15:00:59 +02:00
Ben Grande
fc22726ee8
feat: build and sign RPM packages
Passing files to Dom0 is always dangerous:

- Passing a git repository is dangerous as it can have ignored modified
  files and signature verification will pass.
- Passing an archive is troublesome for updates.
- Passing an RPM package depends on the RPM verification to be correct,
  some times it is not.
- Passing a RPM repository definition is less troublesome for the user,
  as it is a small file to verify the contents and update mechanism is
  via the package manager. Trust in RPM verification is still required.

Many improvements were made to the build scripts:

- requires-program: Single function to check if program is installed;
- spec-get: Sort project names for the usage message;
- spec-get: Only running commands that are necessary;
- spec-get: Fix empty summary when readme has copyright header;
- spec-gen: Fix grep warning of escaped symbol;
- spec-build: Sign RPM and verify signature;
- spec-build: Only lint the first SPEC for faster runtime;
- yumrepo-gen: Generate a local yum repository with signed metadata;
- qubesbuilder-gen: Generate a .qubesbuilder based on tracked projects;
- release: Build, sign and push all RPMs to repository.

Goal is to be able to build with qubes-builderv2 Qubes Executor.

For: https://github.com/ben-grande/qusal/issues/37
2024-06-12 14:44:04 +02:00
Ben Grande
10200f609e
fix: rpmmacros is unnecessary with split-gpg2 2024-06-12 11:32:43 +02:00
Ben Grande
ffe03ba02a
fix: set global prefs for management_dispvm 2024-06-10 19:39:08 +02:00
Ben Grande
c456af2718
fix: remove duplicated Fedora mirrors 2024-06-10 19:15:14 +02:00