From f629df4a4cda3ddc9b5fcfe6d1bc531f48bc157c Mon Sep 17 00:00:00 2001
From: unman <unman@thirdeyesecurity.org>
Date: Fri, 11 Apr 2025 13:36:44 +0000
Subject: [PATCH] Tailscale - Create template and install service

---
 tailscale/create.sls  | 20 ++++++++++
 tailscale/create.top  |  4 ++
 tailscale/install.sls | 88 +++++++++++++++++++++++++++++++++++++++++++
 tailscale/install.top |  4 ++
 4 files changed, 116 insertions(+)
 create mode 100644 tailscale/create.sls
 create mode 100644 tailscale/create.top
 create mode 100644 tailscale/install.sls
 create mode 100644 tailscale/install.top

diff --git a/tailscale/create.sls b/tailscale/create.sls
new file mode 100644
index 0000000..3b2372e
--- /dev/null
+++ b/tailscale/create.sls
@@ -0,0 +1,20 @@
+qvm-present-tailscale:
+  qvm.present:
+    - name: sys-tailscale
+    - class: AppVM
+    - template: template-tailscale
+    - label: green
+
+qvm-prefs-tailscale:
+  qvm.prefs:
+    - name: sys-tailscale
+    - memory: 400
+    - maxmem: 4000
+    - vcpus: 2
+    - provides-network: True
+
+qvm-features-tailscale:
+  qvm.features:
+    - name: sys-tailscale
+    - disable:
+      - service.tinyproxy
diff --git a/tailscale/create.top b/tailscale/create.top
new file mode 100644
index 0000000..12d5ee2
--- /dev/null
+++ b/tailscale/create.top
@@ -0,0 +1,4 @@
+base:
+  dom0:
+    - match: nodegroup
+    - tailscale.create
diff --git a/tailscale/install.sls b/tailscale/install.sls
new file mode 100644
index 0000000..3793890
--- /dev/null
+++ b/tailscale/install.sls
@@ -0,0 +1,88 @@
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+#
+#
+#
+
+{% if salt['pillar.get']('update_proxy:caching') %}
+{% set proxy = 'cacher' %}
+{% endif %}
+
+{% if grains['nodename'] != 'dom0' %}
+{% if grains['os_family']|lower == 'debian' %}
+{% if grains['nodename']|lower != 'host' %}
+{% if proxy  == 'cacher' %}
+{% for repo in salt['file.find']('/etc/apt/sources.list.d/', name='*list') %}
+{{ repo }}_baseurl:
+  file.replace:
+    - name: {{ repo }}
+    - pattern: 'https://'
+    - repl: 'http://HTTPS///'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endfor %}
+
+/etc/apt/sources.list:
+  file.replace:
+    - name: /etc/apt/sources.list
+    - pattern: 'https:'
+    - repl: 'http://HTTPS/'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endif %}
+
+requirements_installed:
+  pkg.installed:
+    - refresh: True
+    - pkgs:
+      - qubes-core-agent-networking
+      - qubes-core-agent-passwordless-root
+      - iproute2
+      - libnotify-bin
+      - lsb-release
+      - xz-utils
+
+/etc/apt/sources.list.d/tailscale.list:
+  file.managed:
+    - source:
+      - salt://tailscale/tailscale.list
+    - user: root
+    - group: root
+    - makedirs: True
+
+/usr/share/keyrings/tailscale-archive-keyring.gpg:
+  file.managed:
+    - source:
+      - salt://tailscale/bookworm.noarmor.gpg
+    - user: root
+    - group: root
+    - makedirs: True
+
+{% if proxy == 'cacher' %}
+use_cacher_tailscale:
+  file.replace:
+    - name: /etc/apt/sources.list.d/tailscale.list
+    - pattern: 'https:'
+    - repl: 'http://HTTPS/'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endif %}
+
+tailscale_installed:
+  pkg.installed:
+    - refresh: True
+    - pkgs:
+      - tailscale
+
+disable_tailscaled:
+  service.disabled:
+    - name: tailscaled
+
+mask_tailscaled:
+  service.masked:
+    - name: tailscaled
+{% endif %}
+{% endif %}
+{% endif %}
diff --git a/tailscale/install.top b/tailscale/install.top
new file mode 100644
index 0000000..0090bca
--- /dev/null
+++ b/tailscale/install.top
@@ -0,0 +1,4 @@
+base:
+  dom0:
+    - match: nodegroup
+    - tailscale.install