mirror of
https://github.com/ben-grande/qusal.git
synced 2024-12-24 23:19:37 -05:00
9c280689d8
- Document preferred method for socket use depending on use case; - Fix Github web-flow key; - Standardize naming of services; - Use sys-ssh in ansible formula; - Start services conditionally with Qubes Service and evaluated by systemd ConditionPathExists= instead of installing on a per qube basis with rc.local scripts; - Change Qusal services to "qusal-" prefix instead of "qubes-" prefix. Fixes: https://github.com/ben-grande/qusal/issues/80 Fixes: https://github.com/ben-grande/qusal/issues/79
113 lines
2.9 KiB
Plaintext
113 lines
2.9 KiB
Plaintext
{#
|
|
SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-or-later
|
|
#}
|
|
|
|
{% if grains['nodename'] != 'dom0' -%}
|
|
|
|
{% set mirage_firewall_tag = 'v0.8.6' -%}
|
|
|
|
include:
|
|
- dev.home-cleanup
|
|
- dotfiles.copy-sh
|
|
- dotfiles.copy-ssh
|
|
- dotfiles.copy-git
|
|
|
|
"{{ slsdotpath }}-opam-completion-and-hooks":
|
|
file.managed:
|
|
- name: /home/user/.config/sh/profile.d/opam.sh
|
|
- source: salt://{{ slsdotpath }}/files/client/profile/opam.sh
|
|
- mode: '0755'
|
|
- user: user
|
|
- group: user
|
|
- makedirs: True
|
|
|
|
"{{ slsdotpath }}-makedir-src":
|
|
file.directory:
|
|
- name: /home/user/src
|
|
- user: user
|
|
- group: user
|
|
- mode: '0755'
|
|
- makedirs: True
|
|
|
|
"{{ slsdotpath }}-gnupg-home":
|
|
file.directory:
|
|
- name: /home/user/.gnupg/mirage-firewall
|
|
- user: user
|
|
- group: user
|
|
- mode: '0700'
|
|
- makedirs: True
|
|
|
|
"{{ slsdotpath }}-save-keys":
|
|
file.recurse:
|
|
- require:
|
|
- file: "{{ slsdotpath }}-gnupg-home"
|
|
- name: /home/user/.gnupg/mirage-firewall/download/
|
|
- source: salt://{{ slsdotpath }}/files/client/keys/
|
|
- user: user
|
|
- group: user
|
|
- file_mode: '0600'
|
|
- dir_mode: '0700'
|
|
- makedirs: True
|
|
|
|
"{{ slsdotpath }}-import-keys":
|
|
cmd.run:
|
|
- require:
|
|
- file: "{{ slsdotpath }}-save-keys"
|
|
- name: gpg --status-fd=2 --homedir . --import download/*.asc
|
|
- cwd: /home/user/.gnupg/mirage-firewall
|
|
- runas: user
|
|
- success_stderr: IMPORT_OK
|
|
|
|
"{{ slsdotpath }}-import-ownertrust":
|
|
cmd.run:
|
|
- require:
|
|
- cmd: "{{ slsdotpath }}-import-keys"
|
|
- name: gpg --homedir . --import-ownertrust download/otrust.txt
|
|
- cwd: /home/user/.gnupg/mirage-firewall
|
|
- runas: user
|
|
|
|
"{{ slsdotpath }}-git-clone":
|
|
git.latest:
|
|
- name: https://github.com/mirage/qubes-mirage-firewall
|
|
- target: /home/user/src/qubes-mirage-firewall
|
|
- user: user
|
|
- force_fetch: True
|
|
|
|
## The tag is annotated, using verify-commit instead.
|
|
"{{ slsdotpath }}-git-verify-tag":
|
|
cmd.run:
|
|
- require:
|
|
- git: "{{ slsdotpath }}-git-clone"
|
|
- name: GNUPGHOME="$HOME/.gnupg/mirage-firewall" git -c gpg.program=gpg2 verify-commit {{ mirage_firewall_tag }}
|
|
- cwd: /home/user/src/qubes-mirage-firewall
|
|
- runas: user
|
|
|
|
"{{ slsdotpath }}-git-checkout-tag-{{ mirage_firewall_tag }}":
|
|
cmd.run:
|
|
- name: git checkout {{ mirage_firewall_tag }}
|
|
- require:
|
|
- cmd: "{{ slsdotpath }}-git-verify-tag"
|
|
- cwd: /home/user/src/qubes-mirage-firewall
|
|
- runas: user
|
|
|
|
"{{ slsdotpath }}-makedir-home-docker":
|
|
file.directory:
|
|
- name: /home/user/docker
|
|
- user: user
|
|
- group: user
|
|
- mode: '0755'
|
|
- makedirs: True
|
|
|
|
{% if salt['grains.get']('os_family') == 'RedHat' -%}
|
|
"{{ slsdotpath }}-file-security-context":
|
|
cmd.run:
|
|
- name: chcon -Rt container_file_t /home/user/docker
|
|
- require:
|
|
- file: "{{ slsdotpath }}-makedir-home-docker"
|
|
- runas: user
|
|
{% endif -%}
|
|
|
|
{% endif -%}
|