From 048820d88398a3f1ba8e2709d14369f07048487d Mon Sep 17 00:00:00 2001
From: Andreas Glashauser <ag@andreasglashauser.com>
Date: Tue, 1 Apr 2025 10:15:36 +0200
Subject: [PATCH] ADDED: states for setting up Cursor IDE with strict firewall
 rules

---
 .../dev-cursor/dev-cursor--create-qube.sls    | 21 ++++++++
 .../dev-cursor--create-template.sls           | 26 ++++++++++
 user_salt/dev-cursor/dev-cursor--firewall.sls | 40 ++++++++++++++
 .../dev-cursor/dev-cursor--firewall.sls.bak1  | 29 +++++++++++
 .../dev-cursor--install-packages.sls          | 15 ++++++
 .../dev-cursor--install-qube-packages.sls     | 52 +++++++++++++++++++
 user_salt/dev-cursor/init.sls                 |  6 +++
 7 files changed, 189 insertions(+)
 create mode 100644 user_salt/dev-cursor/dev-cursor--create-qube.sls
 create mode 100644 user_salt/dev-cursor/dev-cursor--create-template.sls
 create mode 100644 user_salt/dev-cursor/dev-cursor--firewall.sls
 create mode 100644 user_salt/dev-cursor/dev-cursor--firewall.sls.bak1
 create mode 100644 user_salt/dev-cursor/dev-cursor--install-packages.sls
 create mode 100644 user_salt/dev-cursor/dev-cursor--install-qube-packages.sls
 create mode 100644 user_salt/dev-cursor/init.sls

diff --git a/user_salt/dev-cursor/dev-cursor--create-qube.sls b/user_salt/dev-cursor/dev-cursor--create-qube.sls
new file mode 100644
index 0000000..0c4c2c5
--- /dev/null
+++ b/user_salt/dev-cursor/dev-cursor--create-qube.sls
@@ -0,0 +1,21 @@
+{% if grains['id'] == 'dom0' %}
+
+dev-cursor--create-qube:
+  qvm.vm:
+    - name: q-dev-cursor
+    - present:
+      - template: template-dev-cursor
+      - label: orange
+    - prefs:
+      - label: orange
+      - netvm: sys-vpn-mullvad
+    - features:
+      - set:
+        - menu-items: cursor.desktop xterm.desktop
+    - service:
+      - enable:
+        - shutdown-idle
+    - require:
+      - qvm: dev-cursor--create-template
+
+{% endif %}
diff --git a/user_salt/dev-cursor/dev-cursor--create-template.sls b/user_salt/dev-cursor/dev-cursor--create-template.sls
new file mode 100644
index 0000000..e5ed334
--- /dev/null
+++ b/user_salt/dev-cursor/dev-cursor--create-template.sls
@@ -0,0 +1,26 @@
+{% import "templates/versions.jinja" as version %}
+
+include:
+  - templates.templates--install-fedora-minimal
+
+{% if grains['id'] == 'dom0' %}
+
+dev-cursor--create-template:
+  qvm.clone:
+    - name: template-dev-cursor
+    - source: fedora-{{ version.fedora }}-minimal
+    - class: TemplateVM
+    - require:
+      - qvm: templates--install-fedora-{{ version.fedora }}-minimal
+
+dev-cursor--template-prefs:
+  qvm.prefs:
+    - name: template-dev-cursor
+    - label: orange
+    - audiovm:
+    - guivm:
+    - netvm: 
+    - require:
+      - qvm: dev-cursor--create-template
+
+{% endif %}
diff --git a/user_salt/dev-cursor/dev-cursor--firewall.sls b/user_salt/dev-cursor/dev-cursor--firewall.sls
new file mode 100644
index 0000000..36fb168
--- /dev/null
+++ b/user_salt/dev-cursor/dev-cursor--firewall.sls
@@ -0,0 +1,40 @@
+{% if grains['id'] == 'dom0' %}
+
+dev-cursor--firewall:
+  cmd.run:
+    - name: |
+        qvm-firewall q-dev-cursor reset
+        qvm-firewall q-dev-cursor del accept
+        qvm-firewall q-dev-cursor add accept specialtarget=dns
+        qvm-firewall q-dev-cursor add accept proto=icmp
+        qvm-firewall q-dev-cursor add accept api2.cursor.sh proto=tcp
+        qvm-firewall q-dev-cursor add accept api3.cursor.sh proto=tcp
+        qvm-firewall q-dev-cursor add accept repo42.cursor.sh proto=tcp
+        qvm-firewall q-dev-cursor add accept api4.cursor.sh proto=tcp
+        qvm-firewall q-dev-cursor add accept cursor-cdn.com proto=tcp
+        qvm-firewall q-dev-cursor add accept github.com proto=tcp
+        qvm-firewall q-dev-cursor add accept git.andreasglashauser.com proto=tcp
+        #qvm-firewall q-dev-cursor add accept downloads.cursor.com proto=tcp
+        #qvm-firewall q-dev-cursor add accept objects.githubusercontent.com proto=tcp
+        qvm-firewall q-dev-cursor add drop
+
+    - unless: |
+        CURRENT=$(qvm-firewall --raw q-dev-cursor list)
+        DESIRED=$(echo -e 'action=accept specialtarget=dns
+        action=accept proto=icmp
+        action=accept proto=tcp dsthost=api2.cursor.sh
+        action=accept proto=tcp dsthost=api3.cursor.sh
+        action=accept proto=tcp dsthost=repo42.cursor.sh
+        action=accept proto=tcp dsthost=api4.cursor.sh
+        action=accept proto=tcp dsthost=cursor-cdn.com
+        action=accept proto=tcp dsthost=github.com
+        action=accept proto=tcp dsthost=git.andreasglashauser.com
+        action=drop')
+        [ "$CURRENT" = "$DESIRED" ]
+    - require:
+      - qvm: dev-cursor--create-qube
+
+        #action=accept proto=tcp dsthost=downloads.cursor.com
+        #action=accept proto=tcp dsthost=objects.githubusercontent.com
+
+{% endif %}
diff --git a/user_salt/dev-cursor/dev-cursor--firewall.sls.bak1 b/user_salt/dev-cursor/dev-cursor--firewall.sls.bak1
new file mode 100644
index 0000000..e8e591d
--- /dev/null
+++ b/user_salt/dev-cursor/dev-cursor--firewall.sls.bak1
@@ -0,0 +1,29 @@
+{% if grains['id'] == 'dom0' %}
+
+dev-cursor--firewall:
+  cmd.run:
+    - name: |
+        qvm-firewall q-dev-cursor reset
+        qvm-firewall q-dev-cursor del accept
+        qvm-firewall q-dev-cursor add accept specialtarget=dns
+        qvm-firewall q-dev-cursor add accept proto=icmp
+        qvm-firewall q-dev-cursor add accept api2.cursor.sh
+        qvm-firewall q-dev-cursor add accept api3.cursor.sh
+        qvm-firewall q-dev-cursor add accept repo42.cursor.sh
+        qvm-firewall q-dev-cursor add accept api4.cursor.sh
+        qvm-firewall q-dev-cursor add accept marketplace.cursorapi.com
+        qvm-firewall q-dev-cursor add accept cursor-cdn.com
+        qvm-firewall q-dev-cursor add accept downloads.cursor.com
+        qvm-firewall q-dev-cursor add accept vscodevim.gallerycdn.vsassets.io
+        qvm-firewall q-dev-cursor add accept vscodevim.gallerycdn.vsassets.io
+        qvm-firewall q-dev-cursor add accept www.vscode-unpkg.net
+        qvm-firewall q-dev-cursor add accept repo42.cursor.sh.cdn.cloudflare.net
+        qvm-firewall q-dev-cursor add accept cursor-lb-3-1690831134.us-east-1.elb.amazonaws.com
+        qvm-firewall q-dev-cursor add accept market-prod-cdn.trafficmanager.net
+        qvm-firewall q-dev-cursor add accept raw.githubusercontent.com
+        qvm-firewall q-dev-cursor add accept main.vscode-cdn.net
+        qvm-firewall q-dev-cursor add drop
+    - require:
+      - qvm: dev-cursor--create-qube
+
+{% endif %}
diff --git a/user_salt/dev-cursor/dev-cursor--install-packages.sls b/user_salt/dev-cursor/dev-cursor--install-packages.sls
new file mode 100644
index 0000000..b6d5ae0
--- /dev/null
+++ b/user_salt/dev-cursor/dev-cursor--install-packages.sls
@@ -0,0 +1,15 @@
+{% if grains['id'] == 'template-dev-cursor' %}
+
+dev-cursor--install-packages:
+  pkg.installed:
+    - refresh: True
+    - pkgs:
+      - qubes-core-agent-networking
+      - qubes-app-shutdown-idle
+      - git
+      - git-delta
+      - python3-virtualenvwrapper
+      - tree
+      - fuse-libs
+
+{% endif %}
diff --git a/user_salt/dev-cursor/dev-cursor--install-qube-packages.sls b/user_salt/dev-cursor/dev-cursor--install-qube-packages.sls
new file mode 100644
index 0000000..ce6d130
--- /dev/null
+++ b/user_salt/dev-cursor/dev-cursor--install-qube-packages.sls
@@ -0,0 +1,52 @@
+{% set cursor_version = '0.47.9' %}
+{% set vscode_vim_version = '1.29.0' %}
+
+
+{% if grains['id'] == 'q-dev-cursor' %}
+
+dev-cursor--install-cursor:
+  cmd.run:
+    - name: curl --tlsv1.3 -LO --output-dir "/home/user/" "https://downloads.cursor.com/production/b6fb41b5f36bda05cab7109606e7404a65d1ff32/linux/x64/Cursor-{{ cursor_version }}-x86_64.AppImage"
+    - runas: user
+    - unless: test -f /home/user/Cursor-{{ cursor_version }}-x86_64.AppImage
+
+dev-cursor--appimage-executable:
+  cmd.run:
+    - name: chmod +x /home/user/Cursor-{{ cursor_version }}-x86_64.AppImage
+    - runas: user
+    - unless: test -x /home/user/Cursor-{{ cursor_version }}-x86_64.AppImage
+    - require:
+      - cmd: dev-cursor--install-cursor
+
+dev-cursor--install-cursor-extension-directory:
+  file.directory:
+    - name: /home/user/cursor-extensions
+    - user: user
+    - group: user
+    - mode: 755
+    - makedirs: True
+ 
+dev-cursor--install-cursor-extension-vim:
+  cmd.run:
+    - name: curl --tlsv1.3 -LO --output-dir "/home/user/cursor-extensions" "https://github.com/VSCodeVim/Vim/releases/download/v{{ vscode_vim_version }}/vim-{{ vscode_vim_version }}.vsix"
+    - runas: user
+    - unless: test -f /home/user/cursor-extensions/vim-{{ vscode_vim_version }}.vsix
+    - require:
+      - file: dev-cursor--install-cursor-extension-directory
+
+{% elif grains['id'] == 'template-dev-cursor' %}
+
+dev-cursor--create-desktop-entry:
+  file.managed:
+    - name: /usr/share/applications/cursor.desktop
+    - contents: |
+        [Desktop Entry]
+        Name=Cursor
+        Exec=/home/user/Cursor-{{ cursor_version }}-x86_64.AppImage
+        Icon=cursor
+        Terminal=false
+        Type=Application
+        Categories=Development
+    - mode: 644
+
+{% endif %}
diff --git a/user_salt/dev-cursor/init.sls b/user_salt/dev-cursor/init.sls
new file mode 100644
index 0000000..3f638d1
--- /dev/null
+++ b/user_salt/dev-cursor/init.sls
@@ -0,0 +1,6 @@
+include:
+  - dev-cursor.dev-cursor--create-template
+  - dev-cursor.dev-cursor--install-packages
+  - dev-cursor.dev-cursor--create-qube
+  - dev-cursor.dev-cursor--firewall
+  - dev-cursor.dev-cursor--install-qube-packages
-- 
2.39.5