0e72ff8716
Some files had a small impact such as Xft.dpi definition, thus removed. Files with bigger impact were moved to root directories such as /etc or were specified with full path such as ~/.local/bin. In case the dotfiles configuration does extra things, such as verifying merge commits, it was changed to code or comment when appropriate. For: https://github.com/ben-grande/dotfiles/pull/1
qubes-builder
Setup Qubes OS Builder V2 in Qubes OS itself.
Table of Contents
Description
Setup a Builder qube named "qubes-builder" and a disposable template for Qubes Executor named "dvm-qubes-builder". It is possible to use any of the available executors: docker, podman, qubes-executor.
During installation, after cloning the qubes-builderv2 repository, signatures will be verified and the installation will fail if the signatures couldn't be verified. Packages necessary for split operations such as split-gpg2, spit-git and split-ssh-agent will also be installed.
Installation
The template is based on Fedora Minimal and not Debian Minimal due to the Qubes Executor lacking some dependencies on Debian such as mock. Even if the builder qube was Debian based, the executor qube still needs to be a Fedora template.
- Top:
sudo qubesctl top.enable qubes-builder
sudo qubesctl --targets=tpl-qubes-builder,dvm-qubes-builder,qubes-builder state.apply
sudo qubesctl top.disable qubes-builder
sudo qubesctl state.apply qubes-builder.prefs
- State:
sudo qubesctl state.apply qubes-builder.create
sudo qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply qubes-builder.install
sudo qubesctl state.apply qubes-builder.prefs
sudo qubesctl --skip-dom0 --targets=dvm-qubes-builder state.apply qubes-builder.configure-qubes-executor
sudo qubesctl --skip-dom0 --targets=qubes-builder state.apply qubes-builder.configure
If you plan to write for a long time and analyze logs on the builder qube, it is recommended to install some development goodies:
sudo qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply qubes-builder.install-dev
If you plan on building Qusal packages (Development only):
sudo qubesctl --skip-dom0 --targets=qubes-builder state.apply qubes-builder.configure-qusal
Access Control
The policy is based on qubes-builderv2/rpc/50-qubesbuilder.policy.
Extra services added are qubes.Gpg2, qusal.GitInit, qusal.GitFetch,
qusal.GitPush, qusal.SshAgent. Necessary services are allowed to have an
unattended build.
Usage
Pulling new commits
The installation will clone the repository but not pull new commits. You will need to pull new commits from time to time, their signature will be automatically verified them being merged to your git index.
Pull qubes-builderv2 commits:
cd ~/src/qubes-builderv2
git pull --verify-signatures
Initialize and merge submodules:
git submodule update --init
git submodule update --merge
Add PGP public key to qubes-builder GPG home directory
If you need to pull commits signed by someone with a key not deployed by default, import their key to the GPG home directory of qubes-builder:
gpg-qubes-builder --import /path/to/key
Builder configuration
When using the Qubes Executor, configure the builder.yml options:
- For configuration deduplication, include other files;
- When
executor:type:qubesuse the desired DispVM Template:executor:options:dispvm::"@dispvm"; - Enforce the use of
split-gpg2:gpg-client:gpg.
include:
- example-configs/desired-config.yml
executor:
type: qubes
options:
dispvm: "@dispvm"
gpg-client: gpg
Build Qusal
Warning: development only.
You can easily build Qusal as a default configuration is provided.
Place only the following in builder.yml:
include:
- ../qusal-builder/qusal.yml
To run the sign state, you will need to change the configuration option
sign-key:rpm:KEY to your key fingerprint as well as import the same key to
the default GnuPG home directory ~/.gnupg.