From ddef63b3c62ece8a0345535f9ee19cf5f2016791 Mon Sep 17 00:00:00 2001
From: unman <unman@thirdeyesecurity.org>
Date: Fri, 5 Feb 2021 15:51:19 +0000
Subject: [PATCH] Split GPG - back end template and 'gpg' qube

---
 gpg/clone.sls   | 12 ++++++++++++
 gpg/clone.top   |  4 ++++
 gpg/create.sls  | 32 ++++++++++++++++++++++++++++++++
 gpg/create.top  |  4 ++++
 gpg/install.sls | 26 ++++++++++++++++++++++++++
 gpg/install.top |  5 +++++
 6 files changed, 83 insertions(+)
 create mode 100644 gpg/clone.sls
 create mode 100644 gpg/clone.top
 create mode 100644 gpg/create.sls
 create mode 100644 gpg/create.top
 create mode 100644 gpg/install.sls
 create mode 100644 gpg/install.top

diff --git a/gpg/clone.sls b/gpg/clone.sls
new file mode 100644
index 0000000..3c31de3
--- /dev/null
+++ b/gpg/clone.sls
@@ -0,0 +1,12 @@
+include:
+  - template-debian-10-minimal
+
+qvm-clone-id:
+  qvm.clone:
+    - require:
+      - sls: template-debian-10-minimal 
+    - name: template-gpg
+    - source: debian-10-minimal
+
+'sudo qubes-dom0-update qubes-gpg-split-dom0':
+  cmd.run
diff --git a/gpg/clone.top b/gpg/clone.top
new file mode 100644
index 0000000..724b50a
--- /dev/null
+++ b/gpg/clone.top
@@ -0,0 +1,4 @@
+base:
+  dom0:
+    - match: nodegroup
+    - gpg.clone
diff --git a/gpg/create.sls b/gpg/create.sls
new file mode 100644
index 0000000..c136536
--- /dev/null
+++ b/gpg/create.sls
@@ -0,0 +1,32 @@
+include:
+  - gpg.clone
+
+qvm-present-id:
+  qvm.present:
+    - name: gpg
+    - template: template-gpg
+    - label: gray
+
+qvm-prefs-id:
+  qvm.prefs:
+    - name: gpg
+    - netvm: none
+    - memory: 400
+    - maxmem: 800
+    - vcpus: 2
+
+qvm-features-id:
+  qvm.features:
+    - name: gpg
+    - disable:
+      - service.cups
+      - service.cups-browsed
+
+'qvm-volume extend gpg:private 10G' :
+  cmd.run
+
+update_file:
+  file.prepend:
+    - name: '/etc/qubes-rpc/policy/qubes.Gpg'
+    - text: '@anyvm @anyvm ask,default_target=gpg'
+
diff --git a/gpg/create.top b/gpg/create.top
new file mode 100644
index 0000000..df1d589
--- /dev/null
+++ b/gpg/create.top
@@ -0,0 +1,4 @@
+base:
+  dom0:
+    - match: nodegroup
+    - gpg.create
diff --git a/gpg/install.sls b/gpg/install.sls
new file mode 100644
index 0000000..3a9b77d
--- /dev/null
+++ b/gpg/install.sls
@@ -0,0 +1,26 @@
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+/etc/apt/sources.list:
+  file.replace:
+    - pattern: 'https:'
+    - repl: 'http://HTTPS/'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+
+/etc/apt/sources.list.d/qubes-r4.list:
+  file.replace:
+    - pattern: 'https:'
+    - repl: 'http://HTTPS/'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+
+allow-testing:
+  file.uncomment:
+    - name: /etc/apt/sources.list.d/qubes-r4.list
+    - regex: ^deb\s.*qubes-os.org.*-testing
+    - backup: false
+
+installed:
+  pkg.installed:
+    - pkgs:
+      - qubes-gpg-split
+      - gnupg
+      - keepassxc
diff --git a/gpg/install.top b/gpg/install.top
new file mode 100644
index 0000000..12df7ee
--- /dev/null
+++ b/gpg/install.top
@@ -0,0 +1,5 @@
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+base:
+  template-gpg:
+  - gpg.install