qusal/salt/qubes-builder
Ben Grande 0887c24a19 fix: remove unicode from used files
No considering license, copyright notices kept outside of the installed
directories, but excluding keys that have unicode in their comment
section.
2024-01-18 15:23:52 +01:00
..
files fix: rpc service copy to dvm 2024-01-07 20:20:54 +01:00
clone.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
clone.top refactor: initial commit 2023-11-13 14:33:28 +00:00
configure-qubes-executor.sls fix: rpc service copy to dvm 2024-01-07 20:20:54 +01:00
configure-qubes-executor.top refactor: initial commit 2023-11-13 14:33:28 +00:00
configure.sls refactor: import armored gpg keys instead of db 2024-01-03 21:40:05 +01:00
configure.top refactor: initial commit 2023-11-13 14:33:28 +00:00
create.sls fix: strict split-gpg2 service 2023-12-28 11:47:41 +01:00
create.top refactor: initial commit 2023-11-13 14:33:28 +00:00
init.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
init.top refactor: initial commit 2023-11-13 14:33:28 +00:00
install-qubes-executor.sls fix: add user to mock group 2024-01-05 11:07:27 +01:00
install-qubes-executor.top refactor: initial commit 2023-11-13 14:33:28 +00:00
install.sls fix: add user to mock group 2024-01-05 11:07:27 +01:00
install.top refactor: initial commit 2023-11-13 14:33:28 +00:00
README.md fix: remove unicode from used files 2024-01-18 15:23:52 +01:00

qubes-builder

Setup Qubes OS Builder V2 in Qubes OS itself.

Table of Contents

Description

Setup a Builder qube named "qubes-builder" and a disposable template for Qubes Executor named "dvm-qubes-builder". It is possible to use any of the available executors: docker, podman, qubes-executor.

During installation, after cloning the qubes-builderv2 repository, signatures will be verified and the installation will fail if the signatures couldn't be verified. Packages necessary for split operations such as split-gpg2, spit-git and split-ssh-agent will also be installed.

Installation

The template is based on Fedora Minimal and not Debian Minimal due to the Qubes Executor lacking some dependencies on Debian such as mock. Even if the builder qube was Debian based, the executor qube still needs to be a Fedora template.

  • Top
qubesctl top.enable qubes-builder
qubesctl --targets=tpl-qubes-builder,dvm-qubes-builder,qubes-builder state.apply
qubesctl top.disable qubes-builder
  • State
qubesctl state.apply qubes-builder.create
qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply qubes-builder.install
qubesctl --skip-dom0 --targets=dvm-qubes-builder state.apply qubes-builder.configure-qubes-executor
qubesctl --skip-dom0 --targets=qubes-builder state.apply qubes-builder.configure

Access Control

The policy is based on qubes-builderv2/rpc/50-qubesbuilder.policy. Extra services added are qubes.Gpg2, qusal.GitInit, qusal.GitFetch, qusal.GitPush, qusal.SshAgent. Necessary services are allowed to have an unattended build.

Usage

Builder configuration

When using the Qubes Executor, configure the builder.yml dispvm option to either dom0 or dvm-qubes-builder:

include:
  - example-configs/desired-config.yml

executor:
  type: qubes
  options:
    dispvm: "dom0"
    #dispvm: "dvm-qubes-builder"

Setting the Disposable VM to Dom0 works because it will use the default_dispvm preference of qubes-builder, which is dvm-qubes-builder.

Update repository safely

If you need to pull new commits, set GNUPGHOME to /home/user/.gnupg/qubes-builder, the provided gitconfig enforces signature verification on git merges:

GNUPGHOME="$HOME/.gnupg/qubes-builder" git pull
Commit 7c37bb7 has a good GPG signature by Frederic Pierret (fepitre)
<frederic.pierret@qubes-os.org>
...