qusal/salt/qubes-builder
Ben Grande 9c280689d8
refactor: prefer systemd sockets over socat
- Document preferred method for socket use depending on use case;
- Fix Github web-flow key;
- Standardize naming of services;
- Use sys-ssh in ansible formula;
- Start services conditionally with Qubes Service and evaluated by
  systemd ConditionPathExists= instead of installing on a per qube basis
  with rc.local scripts;
- Change Qusal services to "qusal-" prefix instead of "qubes-" prefix.

Fixes: https://github.com/ben-grande/qusal/issues/80
Fixes: https://github.com/ben-grande/qusal/issues/79
2024-06-25 22:16:26 +02:00
..
files fix: correct git repository name in policy 2024-06-19 15:12:08 +02:00
clone.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
clone.top refactor: initial commit 2023-11-13 14:33:28 +00:00
configure-qubes-executor.sls chore: copyright update 2024-01-29 16:49:54 +01:00
configure-qubes-executor.top refactor: initial commit 2023-11-13 14:33:28 +00:00
configure.sls refactor: prefer systemd sockets over socat 2024-06-25 22:16:26 +02:00
configure.top refactor: initial commit 2023-11-13 14:33:28 +00:00
create.sls refactor: prefer systemd sockets over socat 2024-06-25 22:16:26 +02:00
create.top refactor: initial commit 2023-11-13 14:33:28 +00:00
init.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
init.top refactor: initial commit 2023-11-13 14:33:28 +00:00
install-dev.sls feat: add development goodies to Qubes Builder 2024-06-22 10:31:02 +02:00
install-dev.top feat: add development goodies to Qubes Builder 2024-06-22 10:31:02 +02:00
install-qubes-executor.sls refactor: prefer systemd sockets over socat 2024-06-25 22:16:26 +02:00
install-qubes-executor.top refactor: initial commit 2023-11-13 14:33:28 +00:00
install.sls refactor: prefer systemd sockets over socat 2024-06-25 22:16:26 +02:00
install.top refactor: initial commit 2023-11-13 14:33:28 +00:00
prefs.sls fix: shutdown template before install state 2024-06-24 08:38:56 +02:00
prefs.top fix: install salt depends in fedora-39-minimal 2024-03-23 22:09:49 +01:00
README.md feat: add development goodies to Qubes Builder 2024-06-22 10:31:02 +02:00
version fix: generate RPM Specs for Qubes Builder V2 2024-06-21 17:00:06 +02:00

qubes-builder

Setup Qubes OS Builder V2 in Qubes OS itself.

Table of Contents

Description

Setup a Builder qube named "qubes-builder" and a disposable template for Qubes Executor named "dvm-qubes-builder". It is possible to use any of the available executors: docker, podman, qubes-executor.

During installation, after cloning the qubes-builderv2 repository, signatures will be verified and the installation will fail if the signatures couldn't be verified. Packages necessary for split operations such as split-gpg2, spit-git and split-ssh-agent will also be installed.

Installation

The template is based on Fedora Minimal and not Debian Minimal due to the Qubes Executor lacking some dependencies on Debian such as mock. Even if the builder qube was Debian based, the executor qube still needs to be a Fedora template.

  • Top
sudo qubesctl top.enable qubes-builder
sudo qubesctl --targets=tpl-qubes-builder,dvm-qubes-builder,qubes-builder state.apply
sudo qubesctl top.disable qubes-builder
sudo qubesctl state.apply qubes-builder.prefs
  • State
sudo qubesctl state.apply qubes-builder.create
sudo qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply qubes-builder.install
sudo qubesctl state.apply qubes-builder.prefs
sudo qubesctl --skip-dom0 --targets=dvm-qubes-builder state.apply qubes-builder.configure-qubes-executor
sudo qubesctl --skip-dom0 --targets=qubes-builder state.apply qubes-builder.configure

If you plan to write for a long time and analyze logs on the builder qube, it is recommended to install some development goodies:

sudo qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply qubes-builder.install-dev

Access Control

The policy is based on qubes-builderv2/rpc/50-qubesbuilder.policy. Extra services added are qubes.Gpg2, qusal.GitInit, qusal.GitFetch, qusal.GitPush, qusal.SshAgent. Necessary services are allowed to have an unattended build.

Usage

Pulling new commits

The installation will clone the repository but not pull new commits. You will need to pull new commits from time to time, their signature will be automatically verified before merging them to your git index.

Add PGP public key to qubes-builder GPG home directory

If you need to pull commits signed by someone with a key not deployed by default, import their key to the GPG home directory of qubes-builder:

gpg --homedir "$HOME/.gnupg/qubes-builder" --import KEY

Builder configuration

When using the Qubes Executor, configure the builder.yml dispvm option to either dom0 or dvm-qubes-builder:

include:
  - example-configs/desired-config.yml

executor:
  type: qubes
  options:
    dispvm: "dom0"
    #dispvm: "dvm-qubes-builder"

Setting the Disposable VM to Dom0 works because it will use the default_dispvm preference of qubes-builder, which is dvm-qubes-builder.