DNSCrypt - initial build

dnscrypt/clone.sls

@@ -0,0 +1,8 @@
+dnscrypt_precursor:
+  qvm.template_installed:
+    - name: debian-12-minimal
+
+qvm-clone-dnscrypt:
+  qvm.clone:
+    - name: template-dnscrypt
+    - source: debian-12-minimal

dnscrypt/clone.top

@@ -0,0 +1,4 @@
+base:
+  dom0:
+    - match: nodegroup
+    - dnscrypt.clone

dnscrypt/create.sls

@@ -0,0 +1,23 @@
+qvm-present-dnscrypt:
+  qvm.present:
+    - name: sys-dnscrypt
+    - template: template-dnscrypt
+    - label: green
+
+qvm-prefs-dnscrypt:
+  qvm.prefs:
+    - name: sys-dnscrypt
+    - netvm: sys-net
+    - memory: 400
+    - maxmem: 1500
+    - vcpus: 2
+    - provides-network: True
+
+qvm-features-dnscrypt:
+  qvm.features:
+    - name: sys-dnscrypt
+    - ipv6: ''
+    - disable:
+      - service.cups
+      - service.cups-browsed
+      - service.tinyproxy

dnscrypt/create.top

@@ -0,0 +1,4 @@
+base:
+  dom0:
+    - match: nodegroup
+    - dnscrypt.create

dnscrypt/dnscrypt-proxy-linux_x86_64-2.1.7.tar.gz.minisig

@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RUTk1xXqcTODeVqnC4FZOW9gfNWl5dCXgA8fvzcWfgYdfQx6AQXsNOqRqLeVWSg8QYy2ziEcffma0kucUKs5vKV0YRwUcc8VtAw=
+trusted comment: timestamp:1736607535	file:dnscrypt-proxy-linux_x86_64-2.1.7.tar.gz	hashed
+D6P7KGouVkCaWta151nB6P8kZ9D1nmkrE/poPd4PsCpVlNQuwbGVrJYGyfYWY35a51745RlmxIArEeudIf4bAQ==

dnscrypt/install.sls

@@ -0,0 +1,49 @@
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+#
+#
+#
+
+{% if salt['pillar.get']('update_proxy:caching') %}
+{% set proxy = 'cacher' %}
+{% endif %}
+
+{% if grains['nodename'] != 'dom0' %}
+{% if grains['os_family']|lower == 'debian' %}
+{% if grains['nodename']|lower != 'host' %}
+{% if proxy  == 'cacher' %}
+{% for repo in salt['file.find']('/etc/apt/sources.list.d/', name='*list') %}
+{{ repo }}_baseurl:
+  file.replace:
+    - name: {{ repo }}
+    - pattern: 'https://'
+    - repl: 'http://HTTPS///'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endfor %}
+
+/etc/apt/sources.list:
+  file.replace:
+    - name: /etc/apt/sources.list
+    - pattern: 'https:'
+    - repl: 'http://HTTPS/'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endif %}
+
+installed_dnscrypt:
+  pkg.installed:
+    - pkgs:
+      - qubes-core-agent-networking
+
+dnscrypt_extract:
+  archive.extracted:
+    - name: /etc/skel/
+    - source: salt://dnscrypt/dnscrypt-proxy-linux_x86_64-2.1.7.tar.gz
+    - user: user
+    - group: user
+
+{% endif %}
+{% endif %}
+{% endif %}

dnscrypt/install.top

@@ -0,0 +1,5 @@
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+base:
+  template-dnscrypt:
+    - dnscrypt.install