qusal/salt/sys-usb/create.sls
Ben Grande f9ead06408 fix: remove extraneous package repository updates
Updates happens multiple times, normally 2 to 3, even if we consider a
state without includes. On states with multiple includes, it could
easily get approximately 10 updates being ran. This behavior leads to
unnecessary network bandwidth being spent and more time to run the
installation state. When the connection is slow and not using the
cacher, such as torified connections on Whonix, the installation can
occurs much faster.

Adding external repositories has to be done prior to update to ensure it
is also fetched.

Fixes: https://github.com/ben-grande/qusal/issues/29
2024-03-18 17:51:36 +01:00

156 lines
3.5 KiB
Plaintext

{#
SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
#}
{%- from "qvm/template.jinja" import load -%}
include:
- .clone
- utils.tools.common.update
- qvm.hide-usb-from-dom0
"{{ slsdotpath }}-installed-dom0":
pkg.installed:
- require:
- sls: utils.tools.common.update
- install_recommends: False
- skip_suggestions: True
- pkgs:
- qubes-input-proxy
{% load_yaml as defaults -%}
name: tpl-{{ slsdotpath }}
force: True
require:
- sls: {{ slsdotpath }}.clone
prefs:
- audiovm: ""
{%- endload %}
{{ load(defaults) }}
{% load_yaml as defaults -%}
name: dvm-{{ slsdotpath }}
force: True
require:
- sls: {{ slsdotpath }}.clone
present:
- template: tpl-{{ slsdotpath }}
- label: red
prefs:
- template: tpl-{{ slsdotpath }}
- label: red
- netvm: ""
- audiovm: ""
- memory: 400
- maxmem: 0
- vcpus: 1
- virt_mode: hvm
- template_for_dispvms: True
- include_in_backups: False
features:
- enable:
- servicevm
- appmenus-dispvm
- disable:
- service.network-manager
- service.cups
- service.cups-browsed
- service.meminfo-writer
- service.qubes-updates-proxy
{%- endload %}
{{ load(defaults) }}
{% set usb_pcidevs = salt['grains.get']('pci_usb_devs', []) -%}
{% if usb_pcidevs == ['00:14.0', '00:1a.0', '00:1d.0'] -%}
{% set usb_host_model = 'ThinkPad T430' -%}
{% set usbs = ['disp-sys-usb', 'disp-sys-usb-dock', 'disp-sys-usb-left'] -%}
{% else -%}
{% set usb_host_model = 'unknown' -%}
{% set usbs = ['disp-sys-usb'] -%}
{% endif -%}
{#
TODO: salt jinja best practice
Map different usb controlles to different usb qubes.
Problems:
- Random name generator for qubes would be troublesome for the user
to guess to which qube his usb controller is. Only mapped brands and
models will work.
Questions:
- How to use jinja array to assign a qube per controller?
- How to assign UNCATEGORIZED to unregistered products?
#}
{#
{% set usb_pcidevs = {
'ThinkPad T430': {
'qubes': ['disp-sys-usb', 'disp-sys-usb-dock', 'disp-sys-usb-left'],
'pcidevs': ['00:14.0', '00:1a.0', '00:1d.0'],
'autostart': False,
},
'UNCATEGORIZED': {
'qubes': ['disp-sys-usb'],
'pcidevs': {{ usb_pcidevs }},
'autostart': True,
},
}.get(salt['smbios.get']('system-version') -%}
{% for usb in usb_pcidevs.qubes -%}
pcidevs: {{ usb_pcidevs.pcidevs|sequence|yaml }}
autostart: {{ usb_pcidevs.autostart|sequence|yaml }}
{% endfor -%}
#}
{% for usb in usbs -%}
{% load_yaml as defaults -%}
name: {{ usb }}
force: True
require:
- qvm: dvm-{{ slsdotpath }}
present:
- template: dvm-{{ slsdotpath }}
- label: red
- class: DispVM
prefs:
- template: dvm-{{ slsdotpath }}
- label: red
- netvm: ""
- audiovm: ""
- memory: 400
- maxmem: 0
- include_in_backups: False
- pci_strictreset: False
{% if usb_host_model == 'ThinkPad T430' -%}
- autostart: False
{% if usb == 'disp-sys-usb-left' -%}
- pcidevs: {{ [usb_pcidevs[0]]|yaml }}
{% elif usb == 'disp-sys-usb' -%}
- pcidevs: {{ [usb_pcidevs[1]]|yaml }}
{% elif usb == 'disp-sys-usb-dock' -%}
- pcidevs: {{ [usb_pcidevs[2]]|yaml }}
{% endif -%}
{% else -%}
- autostart: True
- pcidevs: {{ usb_pcidevs|yaml }}
{% endif -%}
features:
- enable:
- servicevm
- disable:
- service.network-manager
- service.cups
- service.cups-browsed
- service.meminfo-writer
- service.qubes-updates-proxy
tags:
- add:
- usbvm
{%- endload %}
{{ load(defaults) }}
{% endfor -%}
{% from 'utils/macros/policy.sls' import policy_set with context -%}
{{ policy_set(sls_path, '80') }}