{% if grains['id'] not in ['dom0', 'template-split-gpg', 'app-split-gpg'] %}
+{% set gpg_fingerprint = 'C1E78CE601392ABCC49072A0B204131BB15B20FE' %}
+
+
+split-gpg--configure-cache-dir:
+ file.directory:
+ - name: /home/user/.cache
+ - user: user
+ - group: user
+ - mode: 755
+ - makedirs: True
split-gpg--configure-gpg-import-files:
file.managed:
- mode: 644
- names:
- - /tmp/public-keys-export:
+ - /home/user/.cache/public-keys-export:
- source: salt://split-gpg/files/public-keys-export
- - /tmp/ownertrust-export:
+ - /home/user/.cache/ownertrust-export:
- source: salt://split-gpg/files/ownertrust-export
+ - require:
+ - file: split-gpg--configure-cache-dir
split-gpg--configure-public-keys-import:
cmd.run:
- - name: "su - user -c 'gpg --import /tmp/public-keys-export'"
+ - name: "su - user -c 'gpg --import /home/user/.cache/public-keys-export'"
- require:
- file: split-gpg--configure-gpg-import-files
+ - unless: su - user -c 'gpg --list-keys | grep -q {{ gpg_fingerprint }}'
split-gpg--configure-ownertrust-import:
cmd.run:
- - name: "su - user -c 'gpg --import-ownertrust /tmp/ownertrust-export'"
+ - name: "su - user -c 'gpg --import-ownertrust /home/user/.cache/ownertrust-export'"
+ - runas: user
- require:
- file: split-gpg--configure-gpg-import-files
+ - unless: |
+ # Compare SHA256 hashes of current trust vs export file
+ CURRENT_HASH=$(su - user -c 'gpg --export-ownertrust | grep {{ gpg_fingerprint }} | sha256sum')
+ DESIRED_HASH=$(cat /home/user/.cache/ownertrust-export | grep {{ gpg_fingerprint }} | sha256sum)
+ [ "$CURRENT_HASH" = "$DESIRED_HASH" ]
{% endif %}
qvm-firewall q-ssh add accept 162.55.181.96/32 proto=tcp
qvm-firewall q-ssh add accept 116.202.96.31/32 proto=tcp
qvm-firewall q-ssh add drop
+ - unless: |
+ CURRENT=$(qvm-firewall --raw q-ssh list)
+ DESIRED=$(echo -e 'action=accept proto=tcp dst4=138.199.226.242/32
+ action=accept proto=tcp dst4=162.55.181.96/32
+ action=accept proto=tcp dst4=116.202.96.31/32
+ action=drop')
+ [ "$CURRENT" = "$DESIRED" ]
+ - output_loglevel: quiet
+
{% elif grains['id'] == 'app-split-ssh' %}
- source: salt://split-ssh/files/qubes.SshAgent
- mode: 755
-{% elif grains['id'] == 'app-ssh' %}
+{% elif grains['id'] == 'app-ssh' or 'dev' in grains['id'] and 'template' not in grains['id'] %}
+{% if grains['id'] == 'app-ssh' %}
include:
- split-gpg.split-gpg--configure-gpg
+{% endif %}
+
+split-ssh--ensure-rclocal-exists:
+ file.managed:
+ - name: /rw/config/rc.local
+ - user: root
+ - group: root
+ - mode: 755
+ - create: True
+ - replace: False
+
+split-ssh--configure-rclocal:
+ file.blockreplace:
+ - name: /rw/config/rc.local
+ - marker_start: "# {mark} SPLIT_SSH (SALT) - START"
+ - marker_end: "# {mark} SPLIT_SSH (SALT) - END"
+ - content: |
+ # SPLIT SSH CONFIGURATION >>>
+ # replace "vault" with your AppVM name which stores the ssh private key(s)
+ SSH_VAULT_VM="q-split-ssh"
+
+ if [ "$SSH_VAULT_VM" != "" ]; then
+ export SSH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM"
+ rm -f "$SSH_SOCK"
+ sudo -u user /bin/sh -c "umask 177 && exec socat 'UNIX-LISTEN:$SSH_SOCK,fork' 'EXEC:qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent'" &
+ fi
+ # <<< SPLIT SSH CONFIGURATION
+ - append_if_not_found: True
+ - show_changes: True
+ - require:
+ - file: split-ssh--ensure-rclocal-exists
+
+split-ssh--ensure-bashrc-exists:
+ file.managed:
+ - name: /home/user/.bashrc
+ - user: root
+ - group: root
+ - mode: 644
+ - create: True
+ - replace: False
-split-ssh--configure-app-ssh:
- file.append:
- - names:
- - /rw/config/rc.local:
- - source: salt://split-ssh/files/rc.local
- - /home/user/.bashrc:
- - source: salt://split-ssh/files/bashrc
+split-ssh--configure-bashrc:
+ file.blockreplace:
+ - name: /home/user/.bashrc
+ - marker_start: "# {mark} SPLIT_SSH (SALT) - START"
+ - marker_end: "# {mark} SPLIT_SSH (SALT) - END"
+ - content: |
+ # SPLIT SSH CONFIGURATION >>>
+ # replace "vault" with your AppVM name which stores the ssh private key(s)
+ SSH_VAULT_VM="q-split-ssh"
+
+ if [ "$SSH_VAULT_VM" != "" ]; then
+ export SSH_AUTH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM"
+ fi
+ # <<< SPLIT SSH CONFIGURATION
+ - append_if_not_found: True
+ - show_changes: True
+ - require:
+ - file: split-ssh--ensure-bashrc-exists
{% endif %}
projects / salt-qubes.git / commitdiff