--- /dev/null
+# Released under MIT License
+
+Copyright (c) 2025 Andreas Glashauser.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--- /dev/null
+This repository contains my personal QubesOs SaltStack configuration states. You are welcome to use them as-is, or even better, draw inspiration from them for your own setup and adapt them to your needs.
+
+For detailed information on QubesOs SaltStack integration, please refer to the [official documentation](https://www.qubes-os.org/doc/salt/).
+
+If you encounter any issues, have questions, or require further clarification, feel free to contact me.
--- /dev/null
+template:
+ debian:
+ - version: 12
+ fedora:
+ - version: 41
+ whonix:
+ - version: 17
--- /dev/null
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+#
+
+# ===== User Defined Salt Pillars =============================================
+
+#user:
+# '*':
+# - custom
+
+user:
+ '*':
+ - templates
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+include:
+ - archive.archive--create-template
+
+archive--create-app-qube:
+ qvm.vm:
+ - name: q-archive
+ - present:
+ - template: template-archive
+ - label: black
+ - prefs:
+ - label: black
+ - guivm: dom0
+ - audiovm:
+ - netvm:
+ - features:
+ - set:
+ - menu-items: debian-xterm.desktop
+ - service:
+ - enable:
+ - shutdown-idle
+ - require:
+ - qvm: archive--create-template
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+include:
+ - templates.templates--install-debian-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+archive--create-template:
+ qvm.clone:
+ - name: template-archive
+ - source: debian-{{ version.debian }}-minimal
+ - class: TemplateVM
+ - require:
+ - qvm: templates--install-debian-{{ version.debian }}-minimal
+
+archive--create-template-prefs:
+ qvm.prefs:
+ - name: template-archive
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - require:
+ - qvm: archive--create-template
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'template-archive' %}
+
+archive--install-packages:
+ pkg.installed:
+ - refresh: True
+ - pkgs:
+ - qubes-app-shutdown-idle
+
+{% endif %}
--- /dev/null
+include:
+ - archive.archive--create-template
+ - archive.archive--install-packages
+ - archive.archive--create-app-qube
--- /dev/null
+#!/bin/bash
+export HISTSIZE=5
+export HISTFILESIZE=5
--- /dev/null
+bash--limit-bash-history:
+ file.managed:
+ - name: /etc/profile.d/limit_bash_history.sh
+ - source: salt://common/bash/files/conf
+ - mode: 755
+ - user: root
+ - group: root
--- /dev/null
+darkmode--configure-profile:
+ file.managed:
+ - name: /etc/profile.d/darkmode.sh
+ - source: salt://common/darkmode/files/darkmode.sh
+ - user: root
+ - group: root
+ - mode: 755
+
+darkmode--configure-environment:
+ file.append:
+ - name: /etc/environment
+ - source: salt://common/darkmode/files/environment
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+darkmode--dom0-install-packages:
+ pkg.installed:
+ - refresh: True
+ - pkgs:
+ - qt5-qtstyleplugins
+
+{% endif %}
--- /dev/null
+#!/bin/bash
+export QT_QPA_PLATFORMTHEME=gtk2
+export QT_STYLE_OVERRIDE=Adwaita-dark
+export GTK_THEME=Adwaita:dark
--- /dev/null
+QT_QPA_PLATFORMTHEME=gtk2
--- /dev/null
+include:
+ - common.darkmode.darkmode--configure
+ - common.darkmode.darkmode--install-packages
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+disk-trimming--configure-cron-trim:
+ file.managed:
+ - name: /etc/cron.hourly/trim
+ - source: salt://common/disk-trimming/files/trim-script
+ - user: root
+ - group: root
+ - mode: 755
+
+{% endif %}
--- /dev/null
+#!/bin/bash
+/sbin/fstrim --all
--- /dev/null
+include:
+ - common.disk-trimming.disk-trimming--configure
--- /dev/null
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it under the
+# terms of the GNU Lesser General Public License as published by the Free
+# Software Foundation; either version 2.1 of the License, or (at your option)
+# any later version.
+#
+# Entries in this file show the compile time defaults. Local configuration
+# should be created by either modifying this file, or by creating "drop-ins" in
+# the journald.conf.d/ subdirectory. The latter is generally recommended.
+# Defaults can be restored by simply deleting this file and all drop-ins.
+#
+# Use 'systemd-analyze cat-config systemd/journald.conf' to display the full config.
+#
+# See journald.conf(5) for details.
+
+[Journal]
+Storage=none
+#Compress=yes
+#Seal=yes
+#SplitMode=uid
+#SyncIntervalSec=5m
+#RateLimitIntervalSec=30s
+#RateLimitBurst=10000
+#SystemMaxUse=
+#SystemKeepFree=
+#SystemMaxFileSize=
+#SystemMaxFiles=100
+#RuntimeMaxUse=
+#RuntimeKeepFree=
+#RuntimeMaxFileSize=
+#RuntimeMaxFiles=100
+#MaxRetentionSec=
+#MaxFileSec=1month
+#ForwardToSyslog=yes
+#ForwardToKMsg=no
+#ForwardToConsole=no
+#ForwardToWall=yes
+#TTYPath=/dev/console
+#MaxLevelStore=debug
+#MaxLevelSyslog=debug
+#MaxLevelKMsg=notice
+#MaxLevelConsole=info
+#MaxLevelWall=emerg
+#LineMax=48K
+#ReadKMsg=yes
+#Audit=no
--- /dev/null
+include:
+ - common.journald.journald--configure
--- /dev/null
+journald--configure:
+ file.managed:
+ - name: /etc/systemd/journald.conf
+ - source: salt://common/journald/files/journald.conf
--- /dev/null
+blacklist snd
+blacklist snd_timer
+blacklist snd_seq_device
+blacklist snd_seq
+blacklist snd_hrtimer
+blacklist snd_seq_dummy
+blacklist snd_pcm
+blacklist soundcore
+blacklist pcspkr
+blacklist snd_pcsp
--- /dev/null
+{% if grains['id'] != 'dom0' %}
+
+/etc/modprobe.d/blacklist.conf:
+ file.append:
+ - source: salt://common/kernel/files/sound-modules
+
+{% endif %}
--- /dev/null
+/var/log/*log /var/log/**/*log {
+ hourly
+ missingok
+ rotate 1
+ size 1k
+ copytruncate
+ create 0644 root root
+}
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+/etc/logrotate.d/force_hourly_log_cleanup:
+ file.managed:
+ - source: salt://common/logrotate/files/force_hourly_log_cleanup
+ - mode: 755
+ - user: root
+ - group: root
+
+{% endif %}
--- /dev/null
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## This is a default sources.list for Anonymity Linux Distributions,
+## which are derivatives of Debian.
+
+## If you want to see the example, which came with the upstream
+## distribution, see: /usr/share/doc/apt/examples/sources.list
+
+## Instead of directly editing this file,
+## the user is advised to create the following file:
+## /etc/apt/sources.list.d/user.list
+## This is because when this package gets updated,
+## /etc/apt/sources.list.d/debian.list will be overwritten and may receive new
+## new default values and comments. The entire folder /etc/apt/sources.list.d/
+## gets scanned for additional sources.list files by apt-get.
+## The user may keep their settings even after updating this package.
+##
+## Without graphical user interface, you can use for example:
+## sudoedit /etc/apt/sources.list.d/user.list
+## With graphical user interface (Xfce), you can use for example:
+## gsudoedit /etc/apt/sources.list.d/user.list
+
+#deb tor+https://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
+#deb tor+https://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
+#deb tor+https://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
+#deb tor+https://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware
+deb tor+https://fasttrack.debian.net/debian bookworm-fasttrack main contrib non-free
+
+deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm main contrib non-free non-free-firmware
+deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-updates main contrib non-free non-free-firmware
+deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bookworm-security main contrib non-free non-free-firmware
+deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-backports main contrib non-free non-free-firmware
+## No onion for fasttrack yet: https://salsa.debian.org/fasttrack-team/support/-/issues/27
+
+####
+
+#deb-src tor+https://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
+#deb-src tor+https://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
+#deb-src tor+https://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
+#deb-src tor+https://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware
+#deb-src tor+https://fasttrack.debian.net/debian bookworm-fasttrack main contrib non-free
+
+#deb-src tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm main contrib non-free non-free-firmware
+#deb-src tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-updates main contrib non-free non-free-firmware
+#deb-src tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bookworm-security main contrib non-free non-free-firmware
+#deb-src tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-backports main contrib non-free
+## No onion for fasttrack yet: https://salsa.debian.org/fasttrack-team/support/-/issues/27
+
+#### meta start
+#### project Whonix and Kicksecure
+#### category networking and apt
+#### description
+## Debian APT repository sources.list
+##
+## Configured to use <code>tor+https</code>.
+##
+## Technical notes:
+## - Why are sources (deb-src) disabled by default?
+## Because those are not required by most users, to save time while
+## running <code>sudo apt update</code>.
+## - See also: https://www.debian.org/security/
+## - See also: <code>/etc/apt/sources.list.d/</code>
+## - Same format as https://onion.debian.org
+## - https://fasttrack.debian.net/
+#### meta end
--- /dev/null
+[qubes-vm-r4.2-current]
+name = Qubes OS Repository for VM (updates)
+baseurl = https://yum.qubes-os.org/r4.2/current/vm/fc$releasever
+#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/current/vm/fc$releasever
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4.2-primary
+skip_if_unavailable=False
+gpgcheck = 1
+repo_gpgcheck = 1
+enabled=1
+
+[qubes-vm-r4.2-current-testing]
+name = Qubes OS Repository for VM (updates-testing)
+baseurl = https://yum.qubes-os.org/r4.2/current-testing/vm/fc$releasever
+#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/current-testing/vm/fc$releasever
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4.2-primary
+skip_if_unavailable=False
+gpgcheck = 1
+repo_gpgcheck = 1
+enabled=0
+
+[qubes-vm-r4.2-security-testing]
+name = Qubes OS Repository for VM (security-testing)
+baseurl = https://yum.qubes-os.org/r4.2/security-testing/vm/fc$releasever
+#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/security-testing/vm/fc$releasever
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4.2-primary
+skip_if_unavailable=False
+gpgcheck = 1
+repo_gpgcheck = 1
+enabled=0
+
+[qubes-vm-r4.2-unstable]
+name = Qubes OS Repository for VM (unstable)
+baseurl = https://yum.qubes-os.org/r4.2/unstable/vm/fc$releasever
+#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/unstable/vm/fc$releasever
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4.2-unstable
+gpgcheck = 1
+repo_gpgcheck = 1
+enabled=0
--- /dev/null
+[qubes-dom0-current]
+name = Qubes Host Repository (updates)
+baseurl = https://yum.qubes-os.org/r$releasever/current/host/fc37
+#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current/host/fc37
+#metalink = https://yum.qubes-os.org/r$releasever/current/host/fc37/repodata/repomd.xml.metalink
+skip_if_unavailable=False
+enabled = 1
+metadata_expire = 6h
+gpgcheck = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary
+
+[qubes-dom0-current-testing]
+name = Qubes Host Repository (updates-testing)
+baseurl = https://yum.qubes-os.org/r$releasever/current-testing/host/fc37
+#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current-testing/host/fc37
+#metalink = https://yum.qubes-os.org/r$releasever/current-testing/host/fc37/repodata/repomd.xml.metalink
+skip_if_unavailable=False
+enabled = 0
+metadata_expire = 6h
+gpgcheck = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary
+
+[qubes-dom0-security-testing]
+name = Qubes Host Repository (security-testing)
+baseurl = https://yum.qubes-os.org/r$releasever/security-testing/host/fc37
+#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/security-testing/host/fc37
+#metalink = https://yum.qubes-os.org/r$releasever/security-testing/host/fc37/repodata/repomd.xml.metalink
+skip_if_unavailable=False
+enabled = 0
+metadata_expire = 6h
+gpgcheck = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary
+
+[qubes-dom0-unstable]
+name = Qubes Host Repository (unstable)
+baseurl = https://yum.qubes-os.org/r$releasever/unstable/host/fc37
+#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/unstable/host/fc37
+#metalink = https://yum.qubes-os.org/r$releasever/unstable/host/fc37/repodata/repomd.xml.metalink
+skip_if_unavailable=False
+enabled = 0
+gpgcheck = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-unstable
+
--- /dev/null
+# Main qubes updates repository
+deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm main
+#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm main
+
+# Qubes updates candidates repository
+#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-testing main
+#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm-testing main
+
+# Qubes security updates testing repository
+#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-securitytesting main
+#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm-securitytesting main
+
+# Qubes experimental/unstable repository
+#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-unstable main
+#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm-unstable main
+
+
+# Qubes Tor updates repositories
+# Main qubes updates repository
+#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm main
+#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm main
+
+# Qubes updates candidates repository
+#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-testing main
+#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-testing main
+
+# Qubes security updates testing repository
+#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-securitytesting main
+#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-securitytesting main
+
+# Qubes experimental/unstable repository
+#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-unstable main
+#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-unstable main
--- /dev/null
+[qubes-templates-itl]
+name = Qubes Templates repository
+baseurl = https://yum.qubes-os.org/r$releasever/templates-itl
+#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-itl
+#metalink = https://yum.qubes-os.org/r$releasever/templates-itl/repodata/repomd.xml.metalink
+enabled = 1
+fastestmirror = 1
+metadata_expire = 7d
+gpgcheck = 1
+gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-primary
+
+[qubes-templates-itl-testing]
+name = Qubes Templates repository
+baseurl = https://yum.qubes-os.org/r$releasever/templates-itl-testing
+#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-itl-testing
+#metalink = https://yum.qubes-os.org/r$releasever/templates-itl-testing/repodata/repomd.xml.metalink
+enabled = 0
+fastestmirror = 1
+gpgcheck = 1
+gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-primary
+
+[qubes-templates-community]
+name = Qubes Community Templates repository
+baseurl = https://yum.qubes-os.org/r$releasever/templates-community
+#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-community
+#metalink = https://yum.qubes-os.org/r$releasever/templates-community/repodata/repomd.xml.metalink
+enabled = 0
+fastestmirror = 1
+metadata_expire = 7d
+gpgcheck = 1
+gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-templates-community
+
+[qubes-templates-community-testing]
+name = Qubes Community Templates repository
+baseurl = https://yum.qubes-os.org/r$releasever/templates-community-testing
+#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-community-testing
+#metalink = https://yum.qubes-os.org/r$releasever/templates-community-testing/repodata/repomd.xml.metalink
+enabled = 0
+fastestmirror = 1
+gpgcheck = 1
+gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-templates-community
+
--- /dev/null
+#deb https://deb.debian.org/debian bookworm main contrib non-free
+deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm main contrib non-free non-free-firmware
+
+#deb https://deb.debian.org/debian-security bookworm-security main contrib non-free
+deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bookworm-security main contrib non-free non-free-firmware
+
+#Optional Backports
+#deb https://deb.debian.org/debian bookworm-backports main contrib non-free
+deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-backports main contrib non-free non-free-firmware
--- /dev/null
+include:
+ - common.onionize-repositories.onionize-repositories--debian-install-packages
+ - common.onionize-repositories.onionize-repositories--debian-qubes-repos
+ - common.onionize-repositories.onionize-repositories--debian-repos
+ - common.onionize-repositories.onionize-repositories--domzero-repos
+ - common.onionize-repositories.onionize-repositories--domzero-template-repos
+ - common.onionize-repositories.onionize-repositories--fedora-qubes-repos
+ - common.onionize-repositories.onionize-repositories--whonix-debian-qubes-repos
+ - common.onionize-repositories.onionize-repositories--whonix-derivate
+ - common.onionize-repositories.onionize-repositories--whonix-repos
--- /dev/null
+{% if grains['os'] == 'Debian' and 'whonix' not in grains['id'] %}
+
+onionize-repositories--debian-install-packages:
+ pkg.installed:
+ - pkgs:
+ - apt-transport-tor
+
+{% endif %}
--- /dev/null
+{% if grains['os'] == 'Debian' and 'whonix' not in grains['id'] %}
+
+onionize-repositories--debian-qubes-repo:
+ file.managed:
+ - name: /etc/apt/sources.list.d/qubes-r4.list
+ - source: salt://common/onionize-repositories/files/qubes-r4.list
+ - user: root
+ - group: root
+ - mode: 600
+ - require:
+ - pkg: onionize-repositories--debian-install-packages
+
+{% endif %}
--- /dev/null
+{% if grains['os'] == 'Debian' and 'whonix' not in grains['id'] %}
+
+onionize-repositories--debian-repos:
+ file.managed:
+ - name: /etc/apt/sources.list
+ - source: salt://common/onionize-repositories/files/sources.list
+ - user: root
+ - group: root
+ - mode: 600
+ - require:
+ - pkg: onionize-repositories--debian-install-packages
+
+{% endif %}
--- /dev/null
+include:
+ - common.onionize-repositories.onionize-repositories--debian-install-packages
+ - common.onionize-repositories.onionize-repositories--debian-repos
+ - common.onionize-repositories.onionize-repositories--debian-qubes-repos
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+onionize-repositories--dom0-repos:
+ file.managed:
+ - name: /etc/yum.repos.d/qubes-dom0.repo
+ - source: salt://common/onionize-repositories/files/qubes-dom0.repo
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+onionize-repositories--domzero-template-repos:
+ file.managed:
+ - name: /etc/qubes/repo-templates/qubes-templates.repo
+ - source: salt://common/onionize-repositories/files/qubes-templates.repo
+
+{% endif %}
--- /dev/null
+include:
+ - common.onionize-repositories.onionize-repositories--domzero-repos
+ - common.onionize-repositories.onionize-repositories--domzero-template-repos
--- /dev/null
+{% if grains['id'] != 'dom0' and grains['os'] == 'Fedora' %}
+
+onionize-repositories--fedora-qubes-repos:
+ file.managed:
+ - name: /etc/yum.repos.d/qubes-r4.repo
+ - source: salt://common/onionize-repositories/files/fedora-qubes-r4.repo
+ - user: root
+ - group: root
+ - mode: 600
+
+{% endif %}
--- /dev/null
+include:
+ - common.onionize-repositories.onionize-repositories--fedora-qubes-repos
--- /dev/null
+{% if 'whonix' in grains['id'] %}
+
+onionize-repositories--whonix-debian-qubes-repo:
+ file.managed:
+ - name: /etc/apt/sources.list.d/qubes-r4.list
+ - source: salt://common/onionize-repositories/files/qubes-r4.list
+ - user: root
+ - group: root
+ - mode: 600
+
+{% endif %}
--- /dev/null
+{% if 'whonix' in grains['id'] %}
+
+onionize-repositories--whonix-derivative:
+ cmd.run:
+ - name: repository-dist --enable --transport onion
+
+{% endif %}
--- /dev/null
+{% if 'whonix' in grains['id'] %}
+
+onionize-repositories--whonix-repos:
+ file.managed:
+ - name: /etc/apt/sources.list.d/debian.list
+ - source: salt://common/onionize-repositories/files/debian-sources.list
+ - user: root
+ - group: root
+ - mode: 600
+
+{% endif %}
--- /dev/null
+include:
+ - common.onionize-repositories.onionize-repositories--whonix-debian-qubes-repos
+ - common.onionize-repositories.onionize-repositories--whonix-derivate
+ - common.onionize-repositories.onionize-repositories--whonix-repos
+
--- /dev/null
+{% if grains['os'] == 'Debian' %}
+
+remove-unwanted--debian-packages:
+ pkg.removed:
+ - names:
+ - less
+ - nano
+ - tasksel
+ - less
+ - vim-common
+ - nftables
+ - fdisk
+ - eatmydata
+ - aptitude
+
+remove-unwanted--apt-cleanup:
+ cmd.run:
+ - name: "apt-get autoremove -y && apt-get clean && apt-get autopurge"
+ - onchanges:
+ - pkg: remove-unwanted--debian-packages
+
+{% endif %}
--- /dev/null
+{% if grains['id'] != 'dom0' %}
+
+remove-unwanted--systemd-service-networkd:
+ service.masked:
+ - name: systemd-networkd.service
+
+remove-unwanted--systemd-service-networkd-socket:
+ service.masked:
+ - name: systemd-networkd.socket
+
+remove-unwanted--systemd-service-networkd-online:
+ service.masked:
+ - name: systemd-networkd-wait-online.service
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+remove-unwanted--domzero-packages:
+ pkg.removed:
+ - pkgs:
+ - nano
+ - pipewire
+ - pavucontrol
+ - alsa-utils
+
+{% endif %}
--- /dev/null
+xterm*scrollBar: false
+xterm*background: black
+xterm*foreground: white
+xterm*selectToClipboard: true
+
+! if you do a double click on a ling, xterm now automatically selects the whole link
+xterm*charClass: 33:48,35-39:48,42-47:48,58-59:48,61:48,63:48,64:48,91-93:48,95:48,126:48
--- /dev/null
+/home/user/.Xresources:
+ file.managed:
+ - source: salt://common/xterm/files/Xresources
+ - mode: 0644
+ - user: user
+ - group: user
+
+"xrdb -merge /home/user/.Xresources":
+ cmd.run:
+ - user: user
--- /dev/null
+xterm--configure-xresources:
+ file.managed:
+ - name: /home/user/.Xresources
+ - source: salt://xterm/files/Xresources
+ - user: user
+ - group: user
+ - mode: 644
+
+{% set users = salt['cmd.run']('getent passwd | grep /home | cut -d: -f1').splitlines() %}
+
+{% for user in users %}
+
+xterm--confgiure-xresources-merge:
+ cmd.run:
+ - name: xrdb -merge /home/{{ user }}/.Xresources
+ - user: {{ user }}
+
+{% endfor %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+include:
+ - templates.templates--install-debian-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+default-dvm--create-template:
+ qvm.clone:
+ - name: template-default-dvm
+ - source: debian-{{ version.debian }}-minimal
+ - class: TemplateVM
+ - require:
+ - qvm: templates--install-debian-{{ version.debian }}-minimal
+
+default-dvm--template-prefs:
+ qvm.prefs:
+ - name: template-default-dvm
+ - label: purple
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - require:
+ - qvm: default-dvm--create-template
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+default-dvm--app-qube-prefs:
+ qvm.prefs:
+ - name: default-dvm
+ - label: red
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - require:
+ - qvm: default-dvm--create-template
+
+{% endif %}
--- /dev/null
+include:
+ - default-dvm.default-dvm--create-template
+ - default-dvm.default-dvm--qube-prefs
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+default-mgmt-dvm--create-app-qube:
+ qvm.vm:
+ - name: default-mgmt-dvm
+ - present:
+ - template: template-default-mgmt-dvm
+ - label: red
+ - prefs:
+ - label: red
+ - audiovm:
+ - guivm:
+ - netvm:
+ - template_for_dispvms: True
+ - require:
+ - qvm: default-mgmt-dvm--create-template
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+include:
+ - templates.templates--install-debian-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+default-mgmt-dvm--create-template:
+ qvm.clone:
+ - name: template-default-mgmt-dvm
+ - source: debian-{{ version.debian }}-minimal
+ - class: TemplateVM
+ - require:
+ - qvm: templates--install-debian-{{ version.debian }}-minimal
+
+default-mgmt-dvm--create-template-prefs:
+ qvm.prefs:
+ - name: template-default-mgmt-dvm
+ - label: red
+ - audiovm:
+ - guivm:
+ - netvm:
+ - require:
+ - qvm: default-mgmt-dvm--create-template
+
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'template-default-mgmt-dvm' %}
+
+default-mgmt-dvm--install-packages:
+ pkg.installed:
+ - refresh: True
+ - pkgs:
+ - qubes-core-agent-passwordless-root
+ - qubes-mgmt-salt-vm-connector
+
+{% endif %}
--- /dev/null
+include:
+ - default-mgmt-dvm.default-mgmt-dvm--create-template
+ - default-mgmt-dvm.default-mgmt-dvm--install-packages
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+dev--create-app-qube:
+ qvm.vm:
+ - name: q-dev
+ - present:
+ - template: template-dev
+ - label: orange
+ - prefs:
+ - label: orange
+ - netvm: sys-vpn-mullvad
+ - features:
+ - set:
+ - menu-items: xterm.desktop
+ - service:
+ - enable:
+ - shutdown-idle
+ - require:
+ - qvm: dev--create-template
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+include:
+ - templates.templates--install-fedora-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+dev--create-template:
+ qvm.clone:
+ - name: template-dev
+ - source: fedora-{{ version.fedora }}-minimal
+ - class: TemplateVM
+ - require:
+ - qvm: templates--install-fedora-{{ version.fedora }}-minimal
+
+dev--template-prefs:
+ qvm.prefs:
+ - name: template-dev
+ - label: orange
+ - audiovm:
+ - guivm:
+ - netvm:
+ - require:
+ - qvm: dev--create-template
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'template-dev' %}
+
+dev--install-packages:
+ pkg.installed:
+ - refresh: True
+ - pkgs:
+ - qubes-core-agent-networking
+ - qubes-app-shutdown-idle
+ - neovim
+ - tmux
+ - git
+ - python3-virtualenvwrapper
+
+{% endif %}
--- /dev/null
+include:
+ - dev.dev--create-template
+ - dev.dev--install-packages
+ - dev.dev--create-app-qube
--- /dev/null
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFgRmCoBEAChee2rs/braqjqim1D+uvTBpPZzkpccJVb2SqhErQKs54iJVyo
+H5pNrGR4VIzFRUnY7fbATo2Ej+0MlglXahl4ok93XmeDz04P5rH2NKnLvWYdaK1C
+9Lvpq22t1nytJuhc124UBahVVEYjc7l2+JGdTh7WvLj8FXqfnnmI1upVU48S70RL
+oM3tSDZqQaO3OGCc0znMNBGI/uKNNwc6Omm6KPvczOhci7bnKt0b0R6TrXufvgOG
+y1DM9sntIbXtpIjOuZdTWyrGTm/AvT6zddPFjN8SN6ZIfoRmJT6ROB6ZTtiz/d20
+VJ87QPEfVRKrMImZxtkJtSliojZB/I3/bkP7A4pvgJ6cJ+ErwW4cfqc3DrWaZY+D
+4AZnk71FA6C5rQdkFbfkgyUMY1WeKX+8N/R+e5oLGmoVI/fdHu1z0JkJJvEraAO9
++qX2mOcW5h/NRxv0Xw57fjMhnMha7bWs8Jn5AchDPJZs1U64Wr36FuSvcdxc0ON/
+WaX4RL/J5OtJHu+2FB+UB1/JuICdOP07/KFxUJod43KwwBctLUHOOz3m1KIVcnXR
+l6+gNQ7vxGm+xghN/zG7lgPLuw5ToCCkMLkQydsRPRSlm0f2zqbQUD3jn+4zZ2ma
+HBHcu6Ld8SSGPp5XIauAKhqZA9IkD5VPgqlrm0iJ4emzPYGp7PMFFdH3qQARAQAB
+tCpNdWxsdmFkIChjb2RlIHNpZ25pbmcpIDxhZG1pbkBtdWxsdmFkLm5ldD6JAjUE
+EwEIAB8CGwMCHgECF4AFAlgR6R8ECwkIBwUVCgkICwQWAgMBAAoJENWh1PJm3o3f
+muQQAJElHN6lLhpOgrbRprJAR15HfRI0Leoomfu5V53Qieqf+6O3TF4PC9JRn+v8
+NYOMsBmBgosvO8YcABA3wYTW6qyRGr+8zQePltEe/J9SE3oCbb4K5KWEThiicZ6R
+o0sJgXB3l0CIHVP+/3bWeZlBpTJNMLOEM+WsEsTe6v7hZfF7HIubVdKSIbQy7T3X
+nsk8840rt5LjJiNtSpsG+EJOIGEdXH5FAis35pTLrbkgnL3Evyjd2OW1grciqF+v
+7aba2g/2zpEGEdtbJKO5C4nG9CHcN5BlaSev0oQlKWuRSG3igwauZFe/0RQPkH/V
+kCOHA3l8NTlublQCdLLLrJJyX7aODH+AKLaVci17ogtGwwO+xNh0h4ejM0QuMLYV
+giMCpxRT5uUuOHbh3by1rwTSb+8dvIw3KyW1TbZ6LFCQHX+8Zs7xU7KQ6tGZ6Pvr
+Fhk/YiM8J+Fe+rBGwEcUfo/ALv4p7qHpRVA7CvdrzKg66iaN+iPQzsptamoSLsCj
+SYbjIby74X0vppRAg7sDXiAxJSRPXM3h1xO83yk1HMrswwWAUuJeToYRXOHYl5zN
+i3E0D6I5Zk1ioO9XPE7oILwJ7YaO4XuC3UuNMwWPSvOoJxbnsUdHpenITvbpe9DP
+z4HGzZWbUtShFDq77MDhv9vkNaFUOgP7AfO5N/35pVCkI4m1uQINBFgRmCoBEADT
+5YK+TLcGSzC4ML7t8VW+rVpYyY3pswX8dL058LYfCIrlaNa14/UvINvjA5529SWr
+jmmDluD8fqtMSFHw6l+XwPMOwvETAjaMLS6c/MLFmw2gHR2ARHBmLEn/ux9kZ03Y
+dEKak5wvkUVqLV7EgGnvfrI0FUw/gaIfdtAt0dcvpAG0bILXQtcYEj7BtiAdxiWL
+O8HMUzD7kj0Q2IUbA3bO4dAtJtXDyY+Ash/kqLzm+0kZtzk4FLWZT2CMw9l73mIT
+/f03+y8oBe1KhZ5FzqgUxQXdjV5hkWyFNbBn4+dsyoMltnVDPkRznIHDWJXiKUV+
+buSQ+xewO/flwrwcgbdTtH5qfuxtNBA2AkVs/dul8FJHeSCB7at6Vy1m8/xFlxgc
+QOk/wwiDKLBub0uIE6TfNs7SvAOUuZP5syLQq8ZeyYMWGrWQKgAEmHlXr0uCrqVF
+O5vjaja8Zwc6wdApiFxjiBzl3z7UiE3fafpeO9nqLwaZqz0RPCEpvCrkpDi4Gl2W
+nfWmQbj2jEpUER1osJhvNRCEfA12IUWjp1vFJhy31i6gTXdCxVBasQrxpJBEZnuJ
+57yIZ+FbdMI0wQD2OMdUYxx4o9p6aGwhotSBrgpM0cfZ5LruP6MjBfWKqLnZBuYk
+prqWeh5rgtXIebsiGYp7V3Ay9pcoilbzh53/wU6y+wARAQABiQIfBBgBCAAJBQJY
+EZgqAhsMAAoJENWh1PJm3o3fbfoP/RfOil8d3hNK+qgG4Xh46bF/UmGzorYbVzzP
+myXXRHTMh3/Br2tPOOnhP65nKJnv8pqCuK1UOJpfXUXDyRpAP7opiWRaS0gbU9s6
+RBy499P/LyMmvZbM4YkpxwPJkC6JaITQ+ZtnPQp+MYLizsz5OD8utyfoPWDOdaEf
+3JHOvupcItDL3DDKw5zPzrI6pKc0IMObO5VI/uU3BIf0x+FKh2rhMVMI+Psapotm
+qhpaPZoz/QPapS2WiMNr7cInLxx7/fv/RLEr5WSVn1eAKkKuXUO/VB5+h4GdP/YV
+boBW4wMneEEkJX3iLr/IM1GQdQK/db4fyWAKh7LhzS9ZCVMxm5BU6GkId7GI2jFE
+djmedt6iF6Tyk0/49WjU/qAZ9H0IHgpyNCwUqPpzWgRiiIbZryRXycht/rH6zuL1
+8p5N6r7AgT6s6kCHfrNK/zxMOzylUuwng1EnLCmlg88PoCCQpaNFZkqwIR0LCh3p
+Xp8zAp+0Sx2td1FtjbEw+OaNCmmJoMqoejuw0nSOFdQUUNAB5WGeZQLoPaastanW
+ir6XcUChoy/1osuovAPNKpWWUxWDdW+62mV8s2ArkLzhgl0FmLZhu+VBKrQaNUKV
+WmPnMRZF6f1C3M8l5DtT1VzfEr1A9ON6uZzKITLlJdBltVFkV7qJTsxbsoj0AJj7
+0VY4XEjauQINBFgR4mgBEACsFJ+BkT+yBxB0E2MNUAcW5stDgscDOJOAXS/ViYd8
+68FqC87VnG+bgTqG2atRqb493RoCHwZyL3L9JniadSk35d9JEQBWzCPff+kEy5Uc
+bwzvSUJyCfjFdxU4YgH/bMt+RXi1mVjLcGTthRp4IfBxQcluI//rxP1kurrqq+lO
+wj7n+h1wxrdhvXXDiAeBJqlQcBjeT0VLc74PYQJ3SbpeX1aFaxsVATGpgXf3SWp+
+8vRCmzM9CnyZW8BeaXBrkwiZQEOeiqnQ0MWaD/8Fs6WWfiyoObJcadmS7HgqCfw7
+SwjSUjSPAr+Vr02P83S59u8ql0RWtDI8CCXcSc1t4u52lvXBdO3nKa9+PeW64I+A
+UfqgJOmfhWZsoImV1pCx+RzY6luFp7H7JVACAi3Z1s24fsRhN5wVZ/hjKn7xGPv0
+O+zFVGWXs/JKl6Bv7xMR0epL+D0d13ahPZYHyLqLfdeJwg2HT1BUAPy+QCy5rhzS
+iEjeygqVzwNTcBPnu1PFhzXSdGMvHKTFXwO5xPwqanvKUd9zH6Xxan5wAJL7yRPq
+7/MSEqUFiE+OfVTeZ3PDduLrkrQm0ZIgTl4EkUNn70YbzrPnEDh7EMETNnAqjNU3
+5iwELxRyxjUdSaIuF/5gSfc4DG/c8miUrYAaXyqMuJWuF7aNnVnSQJDZCjnf//Yy
+KQARAQABiQQ+BBgBCAAJBQJYEeJoAhsCAikJENWh1PJm3o3fwV0gBBkBCAAGBQJY
+EeJoAAoJEKJlgfIZyDFMyBwP/ih4/pKyfQOdgP03IXK0v9dhKOs+PcSAd4BC+ACV
+kDz+N4Pui7/6FJ7+hSJE7Tf2vcWYYbtTrVCz335VCf5zWC/Tz8aXs9MOBlMeZNOS
+2Fsi8P1KOv2BD7qi+m6fkHJ59hDXp2SzvmYRNRgn3N1QpuJl6bjssLmG7X+8NrNA
+JZedzfXmvxDfnxaqKTwGotlJXVo5b/wB1ZXn7yr3zecuXKvcG1SJTGCSyK98jyip
+S/0qAOqzd6FPbNEl/4ehKPX5STdZytTzN8lcbtfTMUA6qLqe/5Tvt50n8yDD3bEh
+ripRSaC2BoVDADwxo7kDhTO6c1xCNMdG/9dHMelbzOPuxJhVMkNzL+dR5V6Q3Clt
+I2rjANqWq/3G7kA4oaItoYOYnh9J8a7P/bkMFbrGEYmaYu9PCqLY5NzqaCKlNyJP
+Fy8u0TdBhiyoBWWarTN6fZwTG6MotHPi9q0iWPfsb9kyoRJWIcvEJq+Vi0wE0+9/
+kXgibqh76U5JekysGV/dBgXaPF4XAPCpBaEe9sbD2PVeUDZPuVeo3c8iGPK1NxmJ
+dt1ktfCcuV3MYCo1DGifuOCCvVaJms6IEFjLPAEQmTGhRSVzTWZ7J8HoDqulhlJh
+HxLT7KI9z85238zplUarSEZ42gNT5SQd35prGVlJDVBwRm2NmJurcfU/EcPi++eD
+0hJhWrYP/3lW/OOkR5NZCK8HhKYM2kBcAsOC/6x5vV1VISslZY2LB3jKq+XhXlPO
+cEmQVMPliBx4yuFrPOKk1+87D9bEL5LJBQskgQwFe2Pg9QirIYflO+P+1LJK3U/g
+3NnlkSrOTRV0M/AvhtU/8R3V2V423pm3sjQsaRdMMtWGfsFNJxvotBkwgEDwDu7h
+sZqzL0zFucm+iMAhGnqi+EZEPXwbX1Utp7S8edBCztfytQMjnJ6jv4UCz///rc3i
+8IDlMo2d19CW/psPS4v7lns5g9oqCGpRbGRllrBV1M/o7bs7+1NyvPTJm9UAmt5U
+iApao4vt4YOG5w0vYd0t50pDS/j3TGjbakgxZpNUMpAgrhnelClKDsXbCVGCyhlJ
+ZOw9Q9t4vIAhFFSpxEDl1NREOUInoK3R4yo4Ep4sq6cbfZvoyAYZf1zpQHQX9OBN
+DKp1jwGLA3+0Jna2/1QUYFLjFiz9bdL+1nT9k/RStFBauRh529r+M1WlkwqNIL+L
+bRGm0rXbWu9eiLhq2ldnfIADOtccUll10RznrjumqgYYw2CI0YUudzpzIghAKZyo
+THYPADmBfvN2pZa/KU3c1OSKHOH2b91Xi97k3u0fECMHLgXctA3BkQ69fONSzx/c
+abgtcydAU0wAD3mG3mr1XI96uOMeVNK0wgYyO5VhzZNziSFhls0D
+=kwTD
+-----END PGP PUBLIC KEY BLOCK-----
--- /dev/null
+deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=amd64] https://repository.mullvad.net/deb/stable bookworm main
--- /dev/null
+include:
+ - mullvad-browser.mullvad-browser--create-template
+ - mullvad-browser.mullvad-browser--configure-repos
+ - mullvad-browser.mullvad-browser--install-packages
+ - mullvad-browser.mullvad-browser--create-app-qube
--- /dev/null
+{% if grains['id'] == 'template-mullvad-browser' %}
+
+mullvad-browser--configure-repos:
+ file.managed:
+ - names:
+ - /usr/share/keyrings/mullvad-keyring.asc:
+ - source: salt://mullvad-browser/files/mullvad-keyring.asc
+ - /etc/apt/sources.list.d/mullvad.list:
+ - source: salt://mullvad-browser/files/mullvad.list
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+mullvad-browser--create-app-qube:
+ qvm.vm:
+ - name: q-mullvad-browser
+ - present:
+ - template: template-mullvad-browser
+ - label: red
+ - prefs:
+ - label: red
+ - audiovm: sys-audio
+ - guivm: dom0
+ - netvm: sys-vpn-mullvad
+ - template_for_dispvms: True
+ - features:
+ - set:
+ - menu-items: mullvad-browser.desktop debian-xterm.desktop
+ - require:
+ - qvm: mullvad-browser--create-template
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+include:
+ - templates.templates--install-debian-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+mullvad-browser--create-template:
+ qvm.clone:
+ - name: template-mullvad-browser
+ - source: debian-{{ version.debian }}-minimal
+ - class: TemplateVM
+ - require:
+ - qvm: templates--install-debian-{{ version.debian }}-minimal
+
+mullvad-browser--template-prefs:
+ qvm.prefs:
+ - name: template-mullvad-browser
+ - label: red
+ - audiovm:
+ - guivm:
+ - netvm:
+ - require:
+ - qvm: mullvad-browser--create-template
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'template-mullvad-browser' %}
+
+mullvad-browser--install-packages:
+ pkg.installed:
+ - refresh: True
+ - pkgs:
+ - qubes-core-agent-networking
+ - mullvad-browser
+ - pulseaudio-qubes
+ - require:
+ - file: mullvad-browser--configure-repos
+
+{% endif %}
--- /dev/null
+#! /usr/bin/env bash
+
+update_dns() {
+ # mullvad_on: 0 -> off, 1 -> on
+ mullvad_on=$([[ $(grep -v -c "nameserver \+10.139" /etc/resolv.conf) -gt 0 ]] && echo 1 || echo 0)
+
+ if [[ $mullvad_on -eq 1 ]]; then
+
+ echo "Mullvad is on"
+
+ # get the mullvad dns ip address. First one is used if there is more than one.
+ mullvad_dns_ip=$(grep "nameserver" < /etc/resolv.conf| awk '{print $2}' | head -n 1)
+
+ # delete all the lines defined in dnat-dns
+ sudo nft flush chain ip qubes dnat-dns
+
+ # forward all dns requests to mullvad dns servers
+ sudo nft add rule ip qubes dnat-dns meta l4proto { tcp, udp } ip daddr { 10.139.1.1, 10.139.1.2 } th dport 53 dnat to "$mullvad_dns_ip"
+
+ else
+
+ echo "Mullvad is off"
+
+ # get qubes nameserver ip addresses
+ nameserver_ips=$(grep "nameserver" < /etc/resolv.conf| awk '{print $2}')
+
+ # delete all the lines defined in dnat-dns
+ sudo nft flush chain ip qubes dnat-dns
+
+ # add rule to forward dns requests to qubes nameservers
+ for ip in $nameserver_ips; do
+ sudo nft add rule ip qubes dnat-dns ip daddr "$ip" udp dport 53 dnat to "$ip"
+ sudo nft add rule ip qubes dnat-dns ip daddr "$ip" tcp dport 53 dnat to "$ip"
+ done
+
+ fi
+}
+
+update_dns
+# check for /etc/resolv.conf content change
+inotifywait -m -q -e close_write /etc/resolv.conf | while read -r;
+do
+ update_dns
+done
--- /dev/null
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFgRmCoBEAChee2rs/braqjqim1D+uvTBpPZzkpccJVb2SqhErQKs54iJVyo
+H5pNrGR4VIzFRUnY7fbATo2Ej+0MlglXahl4ok93XmeDz04P5rH2NKnLvWYdaK1C
+9Lvpq22t1nytJuhc124UBahVVEYjc7l2+JGdTh7WvLj8FXqfnnmI1upVU48S70RL
+oM3tSDZqQaO3OGCc0znMNBGI/uKNNwc6Omm6KPvczOhci7bnKt0b0R6TrXufvgOG
+y1DM9sntIbXtpIjOuZdTWyrGTm/AvT6zddPFjN8SN6ZIfoRmJT6ROB6ZTtiz/d20
+VJ87QPEfVRKrMImZxtkJtSliojZB/I3/bkP7A4pvgJ6cJ+ErwW4cfqc3DrWaZY+D
+4AZnk71FA6C5rQdkFbfkgyUMY1WeKX+8N/R+e5oLGmoVI/fdHu1z0JkJJvEraAO9
++qX2mOcW5h/NRxv0Xw57fjMhnMha7bWs8Jn5AchDPJZs1U64Wr36FuSvcdxc0ON/
+WaX4RL/J5OtJHu+2FB+UB1/JuICdOP07/KFxUJod43KwwBctLUHOOz3m1KIVcnXR
+l6+gNQ7vxGm+xghN/zG7lgPLuw5ToCCkMLkQydsRPRSlm0f2zqbQUD3jn+4zZ2ma
+HBHcu6Ld8SSGPp5XIauAKhqZA9IkD5VPgqlrm0iJ4emzPYGp7PMFFdH3qQARAQAB
+tCpNdWxsdmFkIChjb2RlIHNpZ25pbmcpIDxhZG1pbkBtdWxsdmFkLm5ldD6JAjUE
+EwEIAB8CGwMCHgECF4AFAlgR6R8ECwkIBwUVCgkICwQWAgMBAAoJENWh1PJm3o3f
+muQQAJElHN6lLhpOgrbRprJAR15HfRI0Leoomfu5V53Qieqf+6O3TF4PC9JRn+v8
+NYOMsBmBgosvO8YcABA3wYTW6qyRGr+8zQePltEe/J9SE3oCbb4K5KWEThiicZ6R
+o0sJgXB3l0CIHVP+/3bWeZlBpTJNMLOEM+WsEsTe6v7hZfF7HIubVdKSIbQy7T3X
+nsk8840rt5LjJiNtSpsG+EJOIGEdXH5FAis35pTLrbkgnL3Evyjd2OW1grciqF+v
+7aba2g/2zpEGEdtbJKO5C4nG9CHcN5BlaSev0oQlKWuRSG3igwauZFe/0RQPkH/V
+kCOHA3l8NTlublQCdLLLrJJyX7aODH+AKLaVci17ogtGwwO+xNh0h4ejM0QuMLYV
+giMCpxRT5uUuOHbh3by1rwTSb+8dvIw3KyW1TbZ6LFCQHX+8Zs7xU7KQ6tGZ6Pvr
+Fhk/YiM8J+Fe+rBGwEcUfo/ALv4p7qHpRVA7CvdrzKg66iaN+iPQzsptamoSLsCj
+SYbjIby74X0vppRAg7sDXiAxJSRPXM3h1xO83yk1HMrswwWAUuJeToYRXOHYl5zN
+i3E0D6I5Zk1ioO9XPE7oILwJ7YaO4XuC3UuNMwWPSvOoJxbnsUdHpenITvbpe9DP
+z4HGzZWbUtShFDq77MDhv9vkNaFUOgP7AfO5N/35pVCkI4m1uQINBFgRmCoBEADT
+5YK+TLcGSzC4ML7t8VW+rVpYyY3pswX8dL058LYfCIrlaNa14/UvINvjA5529SWr
+jmmDluD8fqtMSFHw6l+XwPMOwvETAjaMLS6c/MLFmw2gHR2ARHBmLEn/ux9kZ03Y
+dEKak5wvkUVqLV7EgGnvfrI0FUw/gaIfdtAt0dcvpAG0bILXQtcYEj7BtiAdxiWL
+O8HMUzD7kj0Q2IUbA3bO4dAtJtXDyY+Ash/kqLzm+0kZtzk4FLWZT2CMw9l73mIT
+/f03+y8oBe1KhZ5FzqgUxQXdjV5hkWyFNbBn4+dsyoMltnVDPkRznIHDWJXiKUV+
+buSQ+xewO/flwrwcgbdTtH5qfuxtNBA2AkVs/dul8FJHeSCB7at6Vy1m8/xFlxgc
+QOk/wwiDKLBub0uIE6TfNs7SvAOUuZP5syLQq8ZeyYMWGrWQKgAEmHlXr0uCrqVF
+O5vjaja8Zwc6wdApiFxjiBzl3z7UiE3fafpeO9nqLwaZqz0RPCEpvCrkpDi4Gl2W
+nfWmQbj2jEpUER1osJhvNRCEfA12IUWjp1vFJhy31i6gTXdCxVBasQrxpJBEZnuJ
+57yIZ+FbdMI0wQD2OMdUYxx4o9p6aGwhotSBrgpM0cfZ5LruP6MjBfWKqLnZBuYk
+prqWeh5rgtXIebsiGYp7V3Ay9pcoilbzh53/wU6y+wARAQABiQIfBBgBCAAJBQJY
+EZgqAhsMAAoJENWh1PJm3o3fbfoP/RfOil8d3hNK+qgG4Xh46bF/UmGzorYbVzzP
+myXXRHTMh3/Br2tPOOnhP65nKJnv8pqCuK1UOJpfXUXDyRpAP7opiWRaS0gbU9s6
+RBy499P/LyMmvZbM4YkpxwPJkC6JaITQ+ZtnPQp+MYLizsz5OD8utyfoPWDOdaEf
+3JHOvupcItDL3DDKw5zPzrI6pKc0IMObO5VI/uU3BIf0x+FKh2rhMVMI+Psapotm
+qhpaPZoz/QPapS2WiMNr7cInLxx7/fv/RLEr5WSVn1eAKkKuXUO/VB5+h4GdP/YV
+boBW4wMneEEkJX3iLr/IM1GQdQK/db4fyWAKh7LhzS9ZCVMxm5BU6GkId7GI2jFE
+djmedt6iF6Tyk0/49WjU/qAZ9H0IHgpyNCwUqPpzWgRiiIbZryRXycht/rH6zuL1
+8p5N6r7AgT6s6kCHfrNK/zxMOzylUuwng1EnLCmlg88PoCCQpaNFZkqwIR0LCh3p
+Xp8zAp+0Sx2td1FtjbEw+OaNCmmJoMqoejuw0nSOFdQUUNAB5WGeZQLoPaastanW
+ir6XcUChoy/1osuovAPNKpWWUxWDdW+62mV8s2ArkLzhgl0FmLZhu+VBKrQaNUKV
+WmPnMRZF6f1C3M8l5DtT1VzfEr1A9ON6uZzKITLlJdBltVFkV7qJTsxbsoj0AJj7
+0VY4XEjauQINBFgR4mgBEACsFJ+BkT+yBxB0E2MNUAcW5stDgscDOJOAXS/ViYd8
+68FqC87VnG+bgTqG2atRqb493RoCHwZyL3L9JniadSk35d9JEQBWzCPff+kEy5Uc
+bwzvSUJyCfjFdxU4YgH/bMt+RXi1mVjLcGTthRp4IfBxQcluI//rxP1kurrqq+lO
+wj7n+h1wxrdhvXXDiAeBJqlQcBjeT0VLc74PYQJ3SbpeX1aFaxsVATGpgXf3SWp+
+8vRCmzM9CnyZW8BeaXBrkwiZQEOeiqnQ0MWaD/8Fs6WWfiyoObJcadmS7HgqCfw7
+SwjSUjSPAr+Vr02P83S59u8ql0RWtDI8CCXcSc1t4u52lvXBdO3nKa9+PeW64I+A
+UfqgJOmfhWZsoImV1pCx+RzY6luFp7H7JVACAi3Z1s24fsRhN5wVZ/hjKn7xGPv0
+O+zFVGWXs/JKl6Bv7xMR0epL+D0d13ahPZYHyLqLfdeJwg2HT1BUAPy+QCy5rhzS
+iEjeygqVzwNTcBPnu1PFhzXSdGMvHKTFXwO5xPwqanvKUd9zH6Xxan5wAJL7yRPq
+7/MSEqUFiE+OfVTeZ3PDduLrkrQm0ZIgTl4EkUNn70YbzrPnEDh7EMETNnAqjNU3
+5iwELxRyxjUdSaIuF/5gSfc4DG/c8miUrYAaXyqMuJWuF7aNnVnSQJDZCjnf//Yy
+KQARAQABiQQ+BBgBCAAJBQJYEeJoAhsCAikJENWh1PJm3o3fwV0gBBkBCAAGBQJY
+EeJoAAoJEKJlgfIZyDFMyBwP/ih4/pKyfQOdgP03IXK0v9dhKOs+PcSAd4BC+ACV
+kDz+N4Pui7/6FJ7+hSJE7Tf2vcWYYbtTrVCz335VCf5zWC/Tz8aXs9MOBlMeZNOS
+2Fsi8P1KOv2BD7qi+m6fkHJ59hDXp2SzvmYRNRgn3N1QpuJl6bjssLmG7X+8NrNA
+JZedzfXmvxDfnxaqKTwGotlJXVo5b/wB1ZXn7yr3zecuXKvcG1SJTGCSyK98jyip
+S/0qAOqzd6FPbNEl/4ehKPX5STdZytTzN8lcbtfTMUA6qLqe/5Tvt50n8yDD3bEh
+ripRSaC2BoVDADwxo7kDhTO6c1xCNMdG/9dHMelbzOPuxJhVMkNzL+dR5V6Q3Clt
+I2rjANqWq/3G7kA4oaItoYOYnh9J8a7P/bkMFbrGEYmaYu9PCqLY5NzqaCKlNyJP
+Fy8u0TdBhiyoBWWarTN6fZwTG6MotHPi9q0iWPfsb9kyoRJWIcvEJq+Vi0wE0+9/
+kXgibqh76U5JekysGV/dBgXaPF4XAPCpBaEe9sbD2PVeUDZPuVeo3c8iGPK1NxmJ
+dt1ktfCcuV3MYCo1DGifuOCCvVaJms6IEFjLPAEQmTGhRSVzTWZ7J8HoDqulhlJh
+HxLT7KI9z85238zplUarSEZ42gNT5SQd35prGVlJDVBwRm2NmJurcfU/EcPi++eD
+0hJhWrYP/3lW/OOkR5NZCK8HhKYM2kBcAsOC/6x5vV1VISslZY2LB3jKq+XhXlPO
+cEmQVMPliBx4yuFrPOKk1+87D9bEL5LJBQskgQwFe2Pg9QirIYflO+P+1LJK3U/g
+3NnlkSrOTRV0M/AvhtU/8R3V2V423pm3sjQsaRdMMtWGfsFNJxvotBkwgEDwDu7h
+sZqzL0zFucm+iMAhGnqi+EZEPXwbX1Utp7S8edBCztfytQMjnJ6jv4UCz///rc3i
+8IDlMo2d19CW/psPS4v7lns5g9oqCGpRbGRllrBV1M/o7bs7+1NyvPTJm9UAmt5U
+iApao4vt4YOG5w0vYd0t50pDS/j3TGjbakgxZpNUMpAgrhnelClKDsXbCVGCyhlJ
+ZOw9Q9t4vIAhFFSpxEDl1NREOUInoK3R4yo4Ep4sq6cbfZvoyAYZf1zpQHQX9OBN
+DKp1jwGLA3+0Jna2/1QUYFLjFiz9bdL+1nT9k/RStFBauRh529r+M1WlkwqNIL+L
+bRGm0rXbWu9eiLhq2ldnfIADOtccUll10RznrjumqgYYw2CI0YUudzpzIghAKZyo
+THYPADmBfvN2pZa/KU3c1OSKHOH2b91Xi97k3u0fECMHLgXctA3BkQ69fONSzx/c
+abgtcydAU0wAD3mG3mr1XI96uOMeVNK0wgYyO5VhzZNziSFhls0D
+=kwTD
+-----END PGP PUBLIC KEY BLOCK-----
--- /dev/null
+deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=amd64] https://repository.mullvad.net/deb/stable bookworm main
--- /dev/null
+nft add rule ip qubes custom-forward tcp flags syn / syn,rst tcp option maxseg size set rt mtu
+# Prevent the qube to forward traffic outside of the VPN
+nft add rule qubes custom-forward oifname eth0 counter drop
+nft add rule ip6 qubes custom-forward oifname eth0 counter drop
--- /dev/null
+/usr/local/bin/mullvad-dns.sh &
--- /dev/null
+include:
+ - mullvad-vpn.mullvad-vpn--create-template
+ - mullvad-vpn.mullvad-vpn--configure-repos
+ - mullvad-vpn.mullvad-vpn--install-packages
+ - mullvad-vpn.mullvad-vpn--create-app-qubes
+ - mullvad-vpn.mullvad-vpn--dns-config
--- /dev/null
+{% if grains['id'] == 'template-vpn-mullvad' or grains['id'] == 'template-vpn-mullvad-for-tor' %}
+
+mullvad-vpn--configure-repos:
+ file.managed:
+ - names:
+ - /usr/share/keyrings/mullvad-keyring.asc:
+ - source: salt://mullvad-vpn/files/mullvad-keyring.asc
+ - /etc/apt/sources.list.d/mullvad.list:
+ - source: salt://mullvad-vpn/files/mullvad.list
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+sys-vpn-mullvad--create-app-qube:
+ qvm.vm:
+ - name: app-vpn-mullvad
+ - present:
+ - template: template-vpn-mullvad
+ - label: red
+ - template_for_dispvms: True
+ - prefs:
+ - label: red
+ - autostart: False
+ - provides-network: False
+ - template_for_dispvms: True
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - features:
+ - set:
+ - menu-items: debian-xterm.desktop mullvad-vpn.desktop
+ - require:
+ - qvm: mullvad-vpn--create-template
+
+sys-vpn-mullvad--create-qube:
+ qvm.vm:
+ - name: sys-vpn-mullvad
+ - present:
+ - template: app-vpn-mullvad
+ - label: red
+ - class: DispVM
+ - prefs:
+ - label: red
+ - autostart: True
+ - provides-network: True
+ - audiovm:
+ - guivm: dom0
+ - netvm: sys-firewall
+ - features:
+ - set:
+ - menu-items: debian-xterm.desktop mullvad-vpn.desktop
+ - require:
+ - qvm: sys-vpn-mullvad--create-app-qube
+
+sys-vpn-mullvad--create-app-qube-for-tor:
+ qvm.vm:
+ - name: app-vpn-mullvad-for-tor
+ - present:
+ - template: template-vpn-mullvad-for-tor
+ - label: red
+ - template_for_dispvms: True
+ - prefs:
+ - label: red
+ - autostart: False
+ - provides-network: False
+ - template_for_dispvms: True
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - features:
+ - set:
+ - menu-items: debian-xterm.desktop mullvad-vpn.desktop
+ - require:
+ - qvm: mullvad-vpn--create-template-for-tor
+
+sys-vpn-mullvad--create-qube-for-tor:
+ qvm.vm:
+ - name: sys-vpn-mullvad-for-tor
+ - present:
+ - template: app-vpn-mullvad-for-tor
+ - label: red
+ - class: DispVM
+ - prefs:
+ - label: red
+ - autostart: True
+ - provides-network: True
+ - audiovm:
+ - guivm: dom0
+ - netvm: sys-firewall
+ - features:
+ - set:
+ - menu-items: debian-xterm.desktop mullvad-vpn.desktop
+ - require:
+ - qvm: sys-vpn-mullvad--create-app-qube-for-tor
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+include:
+ - templates.templates--install-debian-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+mullvad-vpn--create-template:
+ qvm.clone:
+ - name: template-vpn-mullvad
+ - source: debian-{{ version.debian }}-minimal
+ - class: TemplateVM
+
+mullvad-vpn--template-prefs:
+ qvm.prefs:
+ - name: template-vpn-mullvad
+ - label: red
+ - audiovm:
+ - guivm:
+ - netvm:
+
+mullvad-vpn--create-template-for-tor:
+ qvm.clone:
+ - name: template-vpn-mullvad-for-tor
+ - source: debian-{{ version.debian }}-minimal
+ - class: TemplateVM
+
+mullvad-vpn--template-prefs-for-tor:
+ qvm.prefs:
+ - name: template-vpn-mullvad-for-tor
+ - label: red
+ - audiovm:
+ - guivm:
+ - netvm:
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'app-vpn-mullvad' or grains['id'] == 'app-vpn-mullvad-for-tor' %}
+
+mullvad-vpn--dns-config:
+ file.managed:
+ - names:
+ - /usr/local/bin/mullvad-dns.sh:
+ - source: salt://mullvad-vpn/files/mullvad-dns.sh
+ - mode: 755
+
+mullvad-vpn--dns-config-appends:
+ file.append:
+ - names:
+ - /rw/config/rc.local:
+ - source: salt://mullvad-vpn/files/rc.local
+ - /rw/config/qubes-firewall-user-script:
+ - source: salt://mullvad-vpn/files/qubes-firewall-user-script
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'template-vpn-mullvad' or grains['id'] == 'template-vpn-mullvad-for-tor' %}
+
+mullvad-vpn--install-packages:
+ pkg.installed:
+ - refresh: True
+ - pkgs:
+ - qubes-core-agent-networking
+ - mullvad-vpn
+ - libnss3
+ - inotify-tools
+ - libasound2
+ - require:
+ - file: mullvad-vpn--configure-repos
+
+{% endif %}
--- /dev/null
+include:
+ - notes.notes--create-template
+ - notes.notes--install-packages
+ - notes.notes--create-app-qube
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+notes--create-app-qube:
+ qvm.vm:
+ - name: q-notes
+ - present:
+ - template: template-notes
+ - label: black
+ - prefs:
+ - label: black
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - features:
+ - set:
+ - menu-items: debian-xterm.desktop
+ - service:
+ - enable:
+ - shutdown-idle
+ - require:
+ - qvm: notes--create-template
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+include:
+ - templates.templates--install-debian-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+notes--create-template:
+ qvm.clone:
+ - name: template-notes
+ - source: debian-{{ version.debian }}-minimal
+ - class: TemplateVM
+ - require:
+ - qvm: templates--install-debian-{{ version.debian }}-minimal
+
+notes--create-template-prefs:
+ qvm.prefs:
+ - name: template-notes
+ - label: black
+ - netvm:
+ - audiovm:
+ - guivm:
+ - require:
+ - qvm: notes--create-template
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'template-notes' %}
+
+notes--install-packages:
+ pkg.installed:
+ - pkgs:
+ - qubes-app-shutdown-idle
+
+{% endif %}
--- /dev/null
+include:
+ - pwmanager.pwmanager--create-template
+ - pwmanager.pwmanager--create-app-qube
+ - pwmanager.pwmanager--install-packages
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+pwmanager--create-app-qube:
+ qvm.vm:
+ - name: q-pwmanager
+ - present:
+ - template: template-pwmanager
+ - label: black
+ - prefs:
+ - label: black
+ - template_for_dispvms: True
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - features:
+ - set:
+ - menu-items: org.keepassxc.KeePassXC.desktop debian-xterm.desktop
+ - require:
+ - qvm: pwmanager--create-template
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+include:
+ - templates.templates--install-debian-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+pwmanager--create-template:
+ qvm.clone:
+ - name: template-pwmanager
+ - source: debian-{{ version.debian }}-minimal
+ - class: TemplateVM
+ - require:
+ - qvm: templates--install-debian-{{ version.debian }}-minimal
+
+wmanager--create-template-prefs:
+ qvm.prefs:
+ - name: template-pwmanager
+ - audiovm:
+ - guivm:
+ - netvm:
+ - require:
+ - qvm: pwmanager--create-template
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'template-pwmanager' %}
+
+template-pwmanager-install-apps:
+ pkg.installed:
+ - install_recommends: True
+ - pkgs:
+ - keepassxc
+
+{% endif %}
--- /dev/null
+include:
+ - split-btc.split-btc--create-templates
+ - split-btc.split-btc--create-app-qubes
+ - split-btc.split-btc--create-qubes
+ - split-btc.split-btc--install-packages
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+split-btc--create-app-offline-qube:
+ qvm.vm:
+ - name: app-btc-offline
+ - present:
+ - template: template-btc-offline
+ - label: black
+ - prefs:
+ - label: black
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - template_for_dispvms: True
+ - features:
+ - set:
+ - menu-items: debian-xterm.desktop electrum.desktop
+ - service:
+ - enable:
+ - shutdown-idle
+ - require:
+ - qvm: offline-btc--create-template
+
+split-btc--create-app-qube:
+ qvm.vm:
+ - name: app-btc
+ - present:
+ - template: template-btc
+ - label: red
+ - prefs:
+ - label: red
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - template_for_dispvms: True
+ - features:
+ - set:
+ - menu-items: debian-xterm.desktop electrum.desktop
+ - service:
+ - enable:
+ - shutdown-idle
+ - require:
+ - qvm: btc--create-template
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+split-btc--create-split-offline-qube:
+ qvm.vm:
+ - name: q-btc-offline
+ - present:
+ - template: app-btc-offline
+ - label: black
+ - class: DispVM
+ - prefs:
+ - label: black
+ - netvm:
+ - audiovm:
+ - guivm: dom0
+ - service:
+ - enable:
+ - shutdown-idle
+ - require:
+ - qvm: split-btc--create-app-offline-qube
+
+split-btc--create-btc-qube:
+ qvm.vm:
+ - name: q-btc
+ - present:
+ - template: app-btc
+ - label: red
+ - class: DispVM
+ - prefs:
+ - label: red
+ - audiovm:
+ - guivm: dom0
+ - netvm: sys-vpn-mullvad
+ - service:
+ - enable:
+ - shutdown-idle
+ - require:
+ - qvm: split-btc--create-app-qube
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+include:
+ - templates.templates--install-debian-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+offline-btc--create-template:
+ qvm.clone:
+ - name: template-btc-offline
+ - source: debian-{{ version.debian }}-minimal
+ - class: TemplateVM
+ - require:
+ - qvm: templates--install-debian-{{ version.debian }}-minimal
+
+offline-btc--template-prefs:
+ qvm.prefs:
+ - name: template-btc-offline
+ - label: black
+ - audiovm:
+ - guivm:
+ - netvm:
+ - require:
+ - qvm: offline-btc--create-template
+
+btc--create-template:
+ qvm.clone:
+ - name: template-btc
+ - source: debian-12-minimal
+ - class: TemplateVM
+ - require:
+ - qvm: templates--install-debian-{{ version.debian }}-minimal
+
+btc--template-prefs:
+ qvm.prefs:
+ - name: template-btc
+ - label: red
+ - audiovm:
+ - guivm:
+ - netvm:
+ - require:
+ - qvm: btc--create-template
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'template-btc-offline' %}
+
+template-btc-offline--install-packages:
+ pkg.installed:
+ - refresh: True
+ - pkgs:
+ - qubes-app-shutdown-idle
+ - electrum
+
+{% endif %}
+
+
+{% if grains['id'] == 'template-btc' %}
+
+template-btc--install-packages:
+ pkg.installed:
+ - refresh: True
+ - pkgs:
+ - qubes-core-agent-networking
+ - qubes-app-shutdown-idle
+ - electrum
+
+{% endif %}
--- /dev/null
+q-split-gpg
--- /dev/null
+include:
+ - split-gpg-legacy.split-gpg-legacy--create-template
+ - split-gpg-legacy.split-gpg-legacy--create-app-qube
+ - split-gpg-legacy.split-gpg-legacy--create-qube
+ - split-gpg-legacy.split-gpg-legacy--install-packages
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+split-gpg-legacy--create-app-qube:
+ qvm.vm:
+ - name: app-split-gpg-legacy
+ - present:
+ - template: template-split-gpg-legacy
+ - label: black
+ - prefs:
+ - label: black
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - template_for_dispvms: True
+ - service:
+ - enable:
+ - shutdown-idle
+ - require:
+ - qvm: split-gpg-legacy--create-template
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+split-gpg-legacy--create-split-gpg-qube:
+ qvm.vm:
+ - name: q-split-gpg-legacy
+ - present:
+ - template: app-split-gpg-legacy
+ - label: black
+ - class: DispVM
+ - prefs:
+ - label: black
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - service:
+ - enable:
+ - shutdown-idle
+ - require:
+ - qvm: split-gpg-legacy--create-app-qube
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+include:
+ - templates.templates--install-debian-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+split-gpg-legacy--create-template:
+ qvm.clone:
+ - name: template-split-gpg-legacy
+ - source: debian-{{ version.debian }}-minimal
+ - class: TemplateVM
+ - require:
+ - qvm: templates--install-debian-{{ version.debian }}-minimal
+
+split-gpg-legacy--template-prefs:
+ qvm.prefs:
+ - name: template-split-gpg-legacy
+ - label: black
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - require:
+ - qvm: split-gpg-legacy--create-template
+
+{% endif %}
+
--- /dev/null
+{% if grains['id'] == 'template-split-gpg-legacy' %}
+
+template-split-gpg-legacy--install-packages:
+ pkg.installed:
+ - refresh: True
+ - pkgs:
+ - qubes-gpg-split
+ - qubes-app-shutdown-idle
+ - gnupg
+
+{% endif %}
--- /dev/null
+qubes.Gpg2 + q-ssh @default allow target=q-split-gpg
--- /dev/null
+# List of assigned trustvalues, created Fri Mar 14 10:43:10 2025 CET
+# (Use "gpg --import-ownertrust" to restore them)
+C1E78CE601392ABCC49072A0B204131BB15B20FE:6:
--- /dev/null
+include:
+ - split-gpg.split-gpg--create-template
+ - split-gpg.split-gpg--create-app-qube
+ - split-gpg.split-gpg--create-qube
+ - split-gpg.split-gpg--configure-policy
+ - split-gpg.split-gpg--install-packages
--- /dev/null
+{% if grains['id'] not in ['dom0', 'template-split-gpg', 'app-split-gpg'] %}
+
+split-gpg--configure-gpg-import-files:
+ file.managed:
+ - mode: 644
+ - names:
+ - /tmp/public-keys-export:
+ - source: salt://split-gpg/files/public-keys-export
+ - /tmp/ownertrust-export:
+ - source: salt://split-gpg/files/ownertrust-export
+
+split-gpg--configure-public-keys-import:
+ cmd.run:
+ - name: "su - user -c 'gpg --import /tmp/public-keys-export'"
+ - require:
+ - file: split-gpg--configure-gpg-import-files
+
+split-gpg--configure-ownertrust-import:
+ cmd.run:
+ - name: "su - user -c 'gpg --import-ownertrust /tmp/ownertrust-export'"
+ - require:
+ - file: split-gpg--configure-gpg-import-files
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+split-gpg--configure-policy:
+ file.managed:
+ - name: /etc/qubes/policy.d/30-user-gpg2.policy
+ - source: salt://split-gpg/files/30-user-gpg2.policy
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+split-gpg--create-app-qube:
+ qvm.vm:
+ - name: app-split-gpg
+ - present:
+ - template: template-split-gpg
+ - label: black
+ - prefs:
+ - label: black
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - template_for_dispvms: True
+ - service:
+ - enable:
+ - shutdown-idle
+ - require:
+ - qvm: split-gpg--create-template
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+split-gpg--create-split-gpg-qube:
+ qvm.vm:
+ - name: q-split-gpg
+ - present:
+ - template: app-split-gpg
+ - label: black
+ - class: DispVM
+ - prefs:
+ - label: black
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - service:
+ - enable:
+ - shutdown-idle
+ - require:
+ - qvm: split-gpg--create-app-qube
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+include:
+ - templates.templates--install-debian-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+split-gpg--create-template:
+ qvm.clone:
+ - name: template-split-gpg
+ - source: debian-{{ version.debian }}-minimal
+ - class: TemplateVM
+ - require:
+ - qvm: templates--install-debian-{{ version.debian }}-minimal
+
+split-gpg--template-prefs:
+ qvm.prefs:
+ - name: template-split-gpg
+ - label: black
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - require:
+ - qvm: split-gpg--create-template
+
+{% endif %}
+
--- /dev/null
+{% if grains['id'] == 'template-split-gpg' %}
+
+template-split-gpg--install-packages:
+ pkg.installed:
+ - refresh: True
+ - pkgs:
+ - qubes-app-shutdown-idle
+ - split-gpg2
+ - gnupg
+
+{% elif grains['id'] == 'dom0' %}
+
+template-split-gpg--install-domzero-packages:
+ pkg.installed:
+ - refresh: True
+ - pkgs:
+ - split-gpg2-dom0
+
+{% endif %}
--- /dev/null
+qubes.SshAgent * q-ssh q-split-ssh ask default_target=q-split-ssh
+qubes.SshAgent * q-dev q-split-ssh ask default_target=q-split-ssh
--- /dev/null
+# SPLIT SSH CONFIGURATION >>>
+# replace "vault" with your AppVM name which stores the ssh private key(s)
+SSH_VAULT_VM="q-split-ssh"
+
+if [ "$SSH_VAULT_VM" != "" ]; then
+ export SSH_AUTH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM"
+fi
+# <<< SPLIT SSH CONFIGURATION
+
--- /dev/null
+#!/bin/sh
+# Qubes App Split SSH Script
+
+# safeguard - Qubes notification bubble for each ssh request
+notify-send "[$(qubesdb-read /name)] SSH agent access from: $QREXEC_REMOTE_DOMAIN"
+
+# SSH connection
+socat - "UNIX-CONNECT:$SSH_AUTH_SOCK"
--- /dev/null
+# SPLIT SSH CONFIGURATION >>>
+# replace "vault" with your AppVM name which stores the ssh private key(s)
+SSH_VAULT_VM="q-split-ssh"
+
+if [ "$SSH_VAULT_VM" != "" ]; then
+ export SSH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM"
+ rm -f "$SSH_SOCK"
+ sudo -u user /bin/sh -c "umask 177 && exec socat 'UNIX-LISTEN:$SSH_SOCK,fork' 'EXEC:qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent'" &
+fi
+# <<< SPLIT SSH CONFIGURATION
--- /dev/null
+[Desktop Entry]
+Name=ssh-add
+Exec=ssh-add -c
+Type=Application
--- /dev/null
+include:
+ - split-ssh.split-ssh--create-templates
+ - split-ssh.split-ssh--install-packages
+ - split-ssh.split-ssh--create-app-qubes
+ - split-ssh.split-ssh--create-qubes
+ - split-ssh.split-ssh--configure
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+split-ssh--configure-dom0:
+ file.managed:
+ - name: /etc/qubes/policy.d/50-ssh.policy
+ - source: salt://split-ssh/files/50-ssh.policy
+
+split-ssh--configure-firewall:
+ cmd.run:
+ - name: |
+ qvm-firewall q-ssh reset
+ qvm-firewall q-ssh del accept
+ qvm-firewall q-ssh add accept 138.199.226.242/32 proto=tcp
+ qvm-firewall q-ssh add accept 162.55.181.96/32 proto=tcp
+ qvm-firewall q-ssh add accept 116.202.96.31/32 proto=tcp
+ qvm-firewall q-ssh add drop
+
+{% elif grains['id'] == 'app-split-ssh' %}
+
+split-ssh--configure-app-split-ssh:
+ file.managed:
+ - name: /home/user/.config/autostart/ssh-add.desktop
+ - source: salt://split-ssh/files/ssh-add.desktop
+ - makedirs: True
+
+{% elif grains['id'] == 'template-split-ssh' %}
+
+split-ssh--configure-template-split-ssh:
+ file.managed:
+ - name: /etc/qubes-rpc/qubes.SshAgent
+ - source: salt://split-ssh/files/qubes.SshAgent
+ - mode: 755
+
+{% elif grains['id'] == 'app-ssh' %}
+
+include:
+ - split-gpg.split-gpg--configure-gpg
+
+split-ssh--configure-app-ssh:
+ file.append:
+ - names:
+ - /rw/config/rc.local:
+ - source: salt://split-ssh/files/rc.local
+ - /home/user/.bashrc:
+ - source: salt://split-ssh/files/bashrc
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+split-ssh--create-app-split-qube:
+ qvm.vm:
+ - name: app-split-ssh
+ - present:
+ - template: template-split-ssh
+ - label: black
+ - prefs:
+ - label: black
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - template_for_dispvms: True
+ - features:
+ - set:
+ - menu-items: debian-xterm.desktop
+ - service:
+ - enable:
+ - shutdown-idle
+ - require:
+ - qvm: split-ssh--create-template
+
+
+split-ssh--create-app-qube:
+ qvm.vm:
+ - name: app-ssh
+ - present:
+ - template: template-ssh
+ - label: yellow
+ - prefs:
+ - label: yellow
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - template_for_dispvms: True
+ - features:
+ - set:
+ - menu-items: debian-xterm.desktop
+ - require:
+ - qvm: ssh--create-template
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+q-split-ssh--create-sys-qube:
+ qvm.vm:
+ - name: q-split-ssh
+ - present:
+ - template: app-split-ssh
+ - label: black
+ - class: DispVM
+ - prefs:
+ - label: black
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - service:
+ - enable:
+ - shutdown-idle
+ - split-gpg2-client
+ - require:
+ - qvm: split-ssh--create-app-split-qube
+
+q-ssh--create-sys-qube:
+ qvm.vm:
+ - name: q-ssh
+ - present:
+ - template: app-ssh
+ - label: yellow
+ - class: DispVM
+ - prefs:
+ - label: yellow
+ - audiovm:
+ - guivm: dom0
+ - netvm: sys-vpn-mullvad
+ - require:
+ - qvm: split-ssh--create-app-qube
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+include:
+ - templates.templates--install-debian-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+split-ssh--create-template:
+ qvm.clone:
+ - name: template-split-ssh
+ - source: debian-{{ version.debian }}-minimal
+ - class: TemplateVM
+ - require:
+ - qvm: templates--install-debian-{{ version.debian }}-minimal
+
+split-ssh--template-split-ssh-prefs:
+ qvm.prefs:
+ - name: template-split-ssh
+ - label: black
+ - audiovm:
+ - guivm:
+ - netvm:
+ - require:
+ - qvm: split-ssh--create-template
+
+ssh--create-template:
+ qvm.clone:
+ - name: template-ssh
+ - source: debian-{{ version.debian }}-minimal
+ - class: TemplateVM
+ - require:
+ - qvm: templates--install-debian-{{ version.debian }}-minimal
+
+ssh--template-split-ssh-prefs:
+ qvm.prefs:
+ - name: template-ssh
+ - label: yellow
+ - audiovm:
+ - guivm:
+ - netvm:
+ - require:
+ - qvm: ssh--create-template
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'template-split-ssh' %}
+
+split-ssh--install-template-split-ssh:
+ pkg.installed:
+ - refresh: True
+ - pkgs:
+ - qubes-app-shutdown-idle
+ - ssh-askpass-gnome
+ - socat
+ - libnotify-bin
+
+{% elif grains['id'] == 'template-ssh' %}
+
+split-ssh--install-packages-template-ssh:
+ pkg.installed:
+ - refresh: True
+ - pkgs:
+ - qubes-core-agent-networking
+ - split-gpg2
+ - openssh-client
+ - knockd
+ - salt-ssh
+ - git
+
+{% endif %}
--- /dev/null
+admin.Events * sys-audio @adminvm allow target=dom0
+
+# TODO: check if more / less are required
+admin.Events +property-set_audiovm sys-audio @tag:audiovm-sys-audio allow target=dom0
+admin.Events +property-pre-set_audiovm sys-audio @tag:audiovm-sys-audio allow target=dom0
+admin.Events +property-pre-reset_audiovm sys-audio @tag:audiovm-sys-audio allow target=dom0
+admin.Events +property-reset_audiovm sys-audio @tag:audiovm-sys-audio allow target=dom0
+admin.Events +property-reset_xid sys-audio @tag:audiovm-sys-audio allow target=dom0
+admin.Events +domain-stopped sys-audio @tag:audiovm-sys-audio allow target=dom0
+admin.Events +domain-shutdown sys-audio @tag:audiovm-sys-audio allow target=dom0
+admin.Events +domain-start sys-audio @tag:audiovm-sys-audio allow target=dom0
+admin.Events +connection-established sys-audio @tag:audiovm-sys-audio allow target=dom0
+
+admin.vm.CurrentState * sys-audio @tag:audiovm-sys-audio allow target=dom0
+admin.vm.List * sys-audio @tag:audiovm-sys-audio allow target=dom0
+admin.vm.CurrentState * sys-audio @adminvm allow target=dom0
+admin.vm.List * sys-audio @adminvm allow target=dom0
+
+admin.vm.property.Get +audiovm sys-audio @tag:audiovm-sys-audio allow target=dom0
+admin.vm.property.Get +xid sys-audio @tag:audiovm-sys-audio allow target=dom0
+admin.vm.feature.CheckWithTemplate +audio sys-audio @tag:audiovm-sys-audio allow target=dom0
+admin.vm.feature.CheckWithTemplate +audio-model sys-audio @tag:audiovm-sys-audio allow target=dom0
+admin.vm.feature.CheckWithTemplate +supported-service.pipewire sys-audio @tag:audiovm-sys-audio allow target=dom0
+admin.vm.feature.CheckWithTemplate +audio-low-latency sys-audio @tag:audiovm-sys-audio allow target=dom0
+admin.vm.property.Get +stubdom_xid sys-audio @tag:audiovm-sys-audio allow target=dom0
+
+admin.vm.property.GetAll * sys-audio @tag:audiovm-sys-audio deny notify=no
--- /dev/null
+include:
+ - sys-audio.sys-audio--create-template
+ - sys-audio.sys-audio--create-app-qube
+ - sys-audio.sys-audio--create-sys-qube
+ - sys-audio.sys-audio--install-packages
+ - sys-audio.sys-audio--configure-policy
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+sys-audio--configure-policy:
+ file.managed:
+ - name: /etc/qubes/policy.d/50-sys-audio.policy
+ - source: salt://sys-audio/files/50-sys-audio.policy
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+sys-audio--create-app-qube:
+ qvm.vm:
+ - name: app-audio
+ - present:
+ - template: template-audio
+ - label: purple
+ - prefs:
+ - label: purple
+ - audiovm:
+ - guivm:
+ - netvm:
+ - autostart: False
+ - template_for_dispvms: True
+ - features:
+ - set:
+ - menu-items: debian-xterm.desktop
+ - require:
+ - qvm: sys-audio--create-template
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+sys-audio--create-sys-qube:
+ qvm.vm:
+ - name: sys-audio
+ - present:
+ - template: app-audio
+ - label: purple
+ - class: DispVM
+ - prefs:
+ - label: purple
+ - autostart: True
+ - provides-network: True
+ - virt_mode: hvm
+ - maxmem: 0
+ - audiovm:
+ - guivm: dom0
+ - netvm:
+ - service:
+ - enable:
+ - audiovm
+ - require:
+ - qvm: sys-audio--create-app-qube
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+include:
+ - templates.templates--install-debian-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+sys-audio--create-template:
+ qvm.clone:
+ - name: template-audio
+ - source: debian-{{ version.debian }}-minimal
+ - class: TemplateVM
+ - require:
+ - qvm: templates--install-debian-{{ version.debian }}-minimal
+
+sys-audio--template-prefs:
+ qvm.prefs:
+ - name: template-audio
+ - label: purple
+ - audiovm:
+ - guivm:
+ - netvm:
+ - require:
+ - qvm: sys-audio--create-template
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'template-audio' %}
+
+sys-audio---install-packages:
+ pkg.installed:
+ - refresh: True
+ - pkgs:
+ - qubes-audio-daemon
+ - qubes-core-admin-client
+ - qubes-usb-proxy
+ - pipewire-qubes
+ - pavucontrol
+ - alsa-utils
+ - pasystray
+
+{% endif %}
--- /dev/null
+include:
+ - sys-firewall.sys-firewall--create-template
+ - sys-firewall.sys-firewall--install-packages
+ - sys-firewall.sys-firewall--create-app-qube
+ - sys-firewall.sys-firewall--configure-sys-qube
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+sys-firewall--configure-sys-qube:
+ qvm.vm:
+ - name: sys-firewall
+ - present:
+ - template: app-firewall
+ - label: red
+ - class: DispVM
+ - prefs:
+ - label: red
+ - audiovm:
+ - guivm:
+ - netvm: sys-net
+ - autostart: True
+ - require:
+ - qvm: sys-firewall--create-app-qube
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+sys-firewall--create-app-qube:
+ qvm.vm:
+ - name: app-firewall
+ - present:
+ - template: template-firewall
+ - label: red
+ - prefs:
+ - label: red
+ - audiovm:
+ - guivm:
+ - netvm:
+ - autostart: False
+ - template_for_dispvms: True
+ - require:
+ - qvm: sys-firewall--create-template
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+include:
+ - templates.templates--install-debian-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+sys-firewall--create-template:
+ qvm.clone:
+ - name: template-firewall
+ - source: debian-12-minimal
+ - class: TemplateVM
+ - require:
+ - qvm: templates--install-debian-{{ version.debian }}-minimal
+
+sys-firewall--template-prefs:
+ qvm.prefs:
+ - name: template-firewall
+ - label: red
+ - audiovm:
+ - guivm:
+ - netvm:
+ - require:
+ - qvm: sys-firewall--create-template
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'template-firewall' %}
+
+sys-firewall--install-packages:
+ pkg.installed:
+ - refresh: True
+ - pkgs:
+ - qubes-core-agent-networking
+ - qubes-core-agent-dom0-updates
+
+{% endif %}
--- /dev/null
+include:
+ - sys-net.sys-net--create-template
+ - sys-net.sys-net--install-packages
+ - sys-net.sys-net--create-app-qube
+ - sys-net.sys-net--configure-sys-qube
--- /dev/null
+{% if grains['id']== 'dom0' %}
+
+sys-net--configure-sys-qube:
+ qvm.vm:
+ - name: sys-net
+ - present:
+ - template: app-net
+ - label: red
+ - class: DispVM
+ - prefs:
+ - audiovm:
+ - guivm:
+ - netvm:
+ - require:
+ - sys-net--create-app-qube
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+sys-net--create-app-qube:
+ qvm.vm:
+ - name: app-net
+ - present:
+ - template: template-net
+ - label: red
+ - prefs:
+ - label: red
+ - guivm:
+ - audiovm:
+ - netvm:
+ - autostart: False
+ - template_for_dispvms: True
+ - require:
+ - sys-net--create-template
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+include:
+ - templates.templates--install-fedora-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+sys-net--create-template:
+ qvm.clone:
+ - name: template-net
+ - source: fedora-{{ version.fedora }}-minimal
+ - class: TemplateVM
+ - require:
+ - qvm: templates--install-fedora-{{ version.fedora }}-minimal
+
+sys-net--template-prefs:
+ qvm.prefs:
+ - name: template-net
+ - label: red
+ - audiovm:
+ - guivm:
+ - netvm:
+ - require:
+ - qvm: sys-net--create-template
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'template-net' %}
+
+sys-net--install-packages:
+ pkg.installed:
+ - refresh: True
+ - pkgs:
+ - qubes-core-agent-networking
+ - qubes-core-agent-network-manager
+ - NetworkManager-wifi
+ - network-manager-applet
+ - polkit
+
+{% endif %}
--- /dev/null
+include:
+ - sys-usb.sys-usb--create-template
+ - sys-usb.sys-usb--install-packages
+ - sys-usb.sys-usb--create-app-qube
+ - sys-usb.sys-usb--configure-sys-qube
--- /dev/null
+{% if grains['id']== 'dom0' %}
+
+sys-usb--configure-sys-qube:
+ qvm.vm:
+ - name: sys-usb
+ - present:
+ - template: app-usb
+ - label: red
+ - class: DispVM
+ - prefs:
+ - audiovm:
+ - guivm:
+ - netvm:
+ - require:
+ - sys-usb--create-app-qube
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'dom0' %}
+
+sys-usb--create-app-qube:
+ qvm.vm:
+ - name: app-usb
+ - present:
+ - template: template-usb
+ - label: red
+ - prefs:
+ - label: red
+ - audiovm:
+ - guivm:
+ - netvm:
+ - autostart: False
+ - template_for_dispvms: True
+ - require:
+ - qvm: sys-usb--create-template
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+include:
+ - templates.templates--install-debian-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+sys-usb--create-template:
+ qvm.clone:
+ - name: template-usb
+ - source: debian-{{ version.debian }}-minimal
+ - class: TemplateVM
+ - require:
+ - qvm: templates--install-debian-{{ version.debian }}-minimal
+
+sys-usb--template-prefs:
+ qvm.prefs:
+ - name: template-usb
+ - label: red
+ - audiovm:
+ - guivm:
+ - netvm:
+ - require:
+ - qvm: sys-usb--create-template
+
+{% endif %}
--- /dev/null
+{% if grains['id'] == 'template-usb' %}
+
+sys-usb--install-packages:
+ pkg.installed:
+ - refresh: True
+ - pkgs:
+ - qubes-usb-proxy
+ - qubes-input-proxy-sender
+
+{% endif %}
--- /dev/null
+include:
+ - sys-whonix.sys-whonix--prefs
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+include:
+ - templates.templates--install-whonix-gw
+
+{% if grains['id'] == 'dom0' %}
+
+sys-whonix--prefs:
+ qvm.prefs:
+ - name: sys-whonix
+ - netvm: sys-vpn-mullvad-for-tor
+ - audiovm:
+ - guivm:
+ - require:
+ - qvm: templates--install-whonix-gw-{{ version.whonix }}
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+{% if grains['id'] == 'dom0' %}
+
+templates--install-debian-{{ version.debian }}-minimal:
+ qvm.template_installed:
+ - name: debian-{{ version.debian }}-minimal
+ - fromrepo: qubes-templates-itl
+
+templates--debian-{{ version.debian }}-minimal-prefs:
+ qvm.prefs:
+ - name: debian-{{ version.debian }}-minimal
+ - audiovm:
+ - guivm:
+ - netvm:
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+{% if grains['id'] == 'dom0' %}
+
+templates--install-fedora-{{ version.fedora }}-minimal:
+ qvm.template_installed:
+ - name: fedora-{{ version.fedora }}-minimal
+ - fromrepo: qubes-templates-itl
+
+templates--fedora-{{ version.fedora }}-minimal-prefs:
+ qvm.prefs:
+ - name: fedora-{{ version.fedora }}-minimal
+ - audiovm:
+ - guivm:
+ - netvm:
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+{% if grains['id'] == 'dom0' %}
+
+templates--install-whonix-gw-{{ version.whonix }}:
+ qvm.template_installed:
+ - name: whonix-gateway-{{ version.whonix }}
+ - fromrepo: qubes-templates-itl
+
+templates--whonix-gw-{{ version.whonix }}-prefs:
+ qvm.prefs:
+ - name: whonix-gateway-{{ version.whonix }}
+ - audiovm:
+ - guivm:
+ - netvm:
+
+{% endif %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+{% if grains['id'] == 'dom0' %}
+
+templates--install-whonix-ws-{{ version.whonix }}:
+ qvm.template_installed:
+ - name: whonix-workstation-{{ version.whonix }}
+ - fromrepo: qubes-templates-itl
+
+templates--whonix-ws-{{ version.whonix }}-prefs:
+ qvm.prefs:
+ - name: whonix-workstation-{{ version.whonix }}
+ - audiovm:
+ - guivm:
+ - netvm:
+
+{% endif %}
--- /dev/null
+{% set debian = salt['pillar.get']('template:debian:version') %}
+{% set fedora = salt['pillar.get']('template:fedora:version') %}
+{% set whonix = salt['pillar.get']('template:whonix:version') %}
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+#
+# 1) Intial Setup: sync any modules, etc
+# --> qubesctl saltutil.sync_all
+#
+# 2) Initial Key Import:
+# --> qubesctl state.sls salt.gnupg
+#
+# 3) Highstate will execute all states
+# --> qubesctl state.highstate
+#
+# 4) Highstate test mode only. Note note all states seem to conform to test
+# mode and may apply state anyway. Needs more testing to confirm or not!
+# --> qubesctl state.highstate test=True
+
+# === User Defined Salt States ================================================
+#user:
+# '*':
+# - locale
+
+#user:
+ # '*':
+ # - top.sls
+
+user:
+ '*':
+ - common.journald
+ - common.darkmode
+ - common.bash
+ - common.onionize-repositories
+
+ dom0:
+ - common.disk-trimming
+ - common.logrotate
+ - common.remove-unwanted.remove-unwanted--domzero-packages
+
+ debian-{{ version.debian }}-minimal:
+ - common.remove-unwanted.remove-unwanted--debian-packages
+
+ fedora-{{ version.fedora }}-minimal:
+ - common.onionize-repositories
+
+ whonix-gateway-{{ version.whonix }}:
+ - common.kernel.kernel--disable-sound
+
+ whonix-workstation-{{ version.whonix }}:
+ - common.kernel.kernel--disable-sound
+
+ dom0 or template-firewall:
+ - sys-firewall
+ - common.kernel.kernel--disable-sound
+
+ dom0 or template-audio:
+ - sys-audio
+ - common.remove-unwanted.remove-unwanted--debian-systemd-services
+
+ dom0 or whonix-workstation-{{ version.whonix }}-dvm:
+ - whonix-workstation-dvm
+
+ dom0 or template-usb:
+ - sys-usb
+ - common.kernel.kernel--disable-sound
+ - common.remove-unwanted.remove-unwanted--debian-systemd-services
+
+ dom0 or template-net:
+ - sys-net
+ - common.kernel.kernel--disable-sound
+
+ dom0 or template-default-mgmt-dvm:
+ - default-mgmt-dvm
+ - common.kernel.kernel--disable-sound
+ - common.remove-unwanted.remove-unwanted--debian-systemd-services
+
+ dom0 or template-vpn-mullvad or app-vpn-mullvad or template-vpn-mullvad-for-tor or app-vpn-mullvad-for-tor:
+ - mullvad-vpn
+ - common.kernel.kernel--disable-sound
+
+ dom0 or template-default-dvm:
+ - default-dvm
+ - common.kernel.kernel--disable-sound
+ - common.remove-unwanted.remove-unwanted--debian-systemd-services
+
+ dom0 or template-pwmanager:
+ - pwmanager
+ - common.kernel.kernel--disable-sound
+ - common.remove-unwanted.remove-unwanted--debian-systemd-services
+
+ dom0 or template-archive:
+ - archive
+ - common.kernel.kernel--disable-sound
+ - common.remove-unwanted.remove-unwanted--debian-systemd-services
+
+ dom0 or template-notes:
+ - notes
+ - common.kernel.kernel--disable-sound
+ - common.remove-unwanted.remove-unwanted--debian-systemd-services
+
+ dom0 or template-mullvad-browser:
+ - mullvad-browser
+
+ dom0 or template-dev:
+ - dev
+ - common.kernel.kernel--disable-sound
+
+ dom0 or template-ssh or template-split-ssh or app-ssh or app-split-ssh:
+ - split-ssh
+ - common.kernel.kernel--disable-sound
+
+ dom0 or template-split-ssh:
+ - common.remove-unwanted.remove-unwanted--debian-systemd-services
+
+ dom0 or template-btc or template-btc-offline:
+ - split-btc
+ - common.kernel.kernel--disable-sound
+
+ dom0 or template-btc-offline:
+ - common.remove-unwanted.remove-unwanted--debian-systemd-services
+
+ dom0 or template-split-gpg:
+ - split-gpg
+ - common.kernel.kernel--disable-sound
+ - common.remove-unwanted.remove-unwanted--debian-systemd-services
+
+ dom0 or template-split-gpg-legacy:
+ - split-gpg-legacy
+ - common.kernel.kernel--disable-sound
+ - common.remove-unwanted.remove-unwanted--debian-systemd-services
+
+ dom0 or sys-whonix:
+ - sys-whonix
+ - common.kernel.kernel--disable-sound
--- /dev/null
+include:
+ - whonix-workstation-dvm.whonix-workstation-dvm--app-qube-prefs
--- /dev/null
+{% import "templates/versions.jinja" as version %}
+
+include:
+ - templates.templates--install-whonix-ws
+
+{% if grains['id'] == 'dom0' %}
+
+whonix-workstation-dvm--app-qube-prefs:
+ qvm.prefs:
+ - name: whonix-workstation-{{ version.whonix }}-dvm
+ - audiovm: sys-audio
+ - guivm: dom0
+ - netvm: sys-whonix
+ - require:
+ - qvm: templates--install-whonix-ws-{{ version.whonix }}
+
+{% endif %}
projects / salt-qubes.git / commitdiff