From a20505727b15479f9924ce023c62bdc67d2aa636 Mon Sep 17 00:00:00 2001
From: Andreas Glashauser <ag@andreasglashauser.com>
Date: Tue, 1 Apr 2025 10:09:02 +0200
Subject: [PATCH] CHANGED: Prevent unnecessary state changes with unless checks

---
 .../split-gpg/split-gpg--configure-gpg.sls    | 27 ++++++-
 user_salt/split-gpg/test                      |  0
 user_salt/split-ssh/split-ssh--configure.sls  | 77 +++++++++++++++++--
 3 files changed, 92 insertions(+), 12 deletions(-)
 create mode 100644 user_salt/split-gpg/test

diff --git a/user_salt/split-gpg/split-gpg--configure-gpg.sls b/user_salt/split-gpg/split-gpg--configure-gpg.sls
index 6ac671c..58702e0 100644
--- a/user_salt/split-gpg/split-gpg--configure-gpg.sls
+++ b/user_salt/split-gpg/split-gpg--configure-gpg.sls
@@ -1,24 +1,43 @@
 {% if grains['id'] not in ['dom0', 'template-split-gpg', 'app-split-gpg'] %}
+{% set gpg_fingerprint = 'C1E78CE601392ABCC49072A0B204131BB15B20FE' %}
+
+
+split-gpg--configure-cache-dir:
+  file.directory:
+    - name: /home/user/.cache
+    - user: user
+    - group: user
+    - mode: 755
+    - makedirs: True
 
 split-gpg--configure-gpg-import-files:
   file.managed:
     - mode: 644
     - names:
-      - /tmp/public-keys-export:
+      - /home/user/.cache/public-keys-export:
         - source: salt://split-gpg/files/public-keys-export
-      - /tmp/ownertrust-export:
+      - /home/user/.cache/ownertrust-export:
         - source: salt://split-gpg/files/ownertrust-export
+    - require: 
+      - file: split-gpg--configure-cache-dir
 
 split-gpg--configure-public-keys-import:
   cmd.run:
-    - name: "su - user -c 'gpg --import /tmp/public-keys-export'"
+    - name: "su - user -c 'gpg --import /home/user/.cache/public-keys-export'"
     - require:
       - file: split-gpg--configure-gpg-import-files
+    - unless: su - user -c 'gpg --list-keys | grep -q {{ gpg_fingerprint }}'
 
 split-gpg--configure-ownertrust-import:
   cmd.run:
-    - name: "su - user -c 'gpg --import-ownertrust /tmp/ownertrust-export'"
+    - name: "su - user -c 'gpg --import-ownertrust /home/user/.cache/ownertrust-export'"
+    - runas: user
     - require:
       - file: split-gpg--configure-gpg-import-files
+    - unless: |
+        # Compare SHA256 hashes of current trust vs export file
+        CURRENT_HASH=$(su - user -c 'gpg --export-ownertrust | grep {{ gpg_fingerprint }} | sha256sum')
+        DESIRED_HASH=$(cat /home/user/.cache/ownertrust-export | grep {{ gpg_fingerprint }} | sha256sum)
+        [ "$CURRENT_HASH" = "$DESIRED_HASH" ]
 
 {% endif %}
diff --git a/user_salt/split-gpg/test b/user_salt/split-gpg/test
new file mode 100644
index 0000000..e69de29
diff --git a/user_salt/split-ssh/split-ssh--configure.sls b/user_salt/split-ssh/split-ssh--configure.sls
index 5206e53..d48a32c 100644
--- a/user_salt/split-ssh/split-ssh--configure.sls
+++ b/user_salt/split-ssh/split-ssh--configure.sls
@@ -14,6 +14,15 @@ split-ssh--configure-firewall:
         qvm-firewall q-ssh add accept 162.55.181.96/32 proto=tcp
         qvm-firewall q-ssh add accept 116.202.96.31/32 proto=tcp
         qvm-firewall q-ssh add drop
+    - unless: |
+        CURRENT=$(qvm-firewall --raw q-ssh list)
+        DESIRED=$(echo -e 'action=accept proto=tcp dst4=138.199.226.242/32
+        action=accept proto=tcp dst4=162.55.181.96/32
+        action=accept proto=tcp dst4=116.202.96.31/32
+        action=drop')
+        [ "$CURRENT" = "$DESIRED" ]
+    - output_loglevel: quiet
+
 
 {% elif grains['id'] == 'app-split-ssh' %}
 
@@ -31,17 +40,69 @@ split-ssh--configure-template-split-ssh:
     - source: salt://split-ssh/files/qubes.SshAgent
     - mode: 755
 
-{% elif grains['id'] == 'app-ssh' %}
+{% elif grains['id'] == 'app-ssh' or 'dev' in grains['id'] and 'template' not in grains['id'] %}
 
+{% if grains['id'] == 'app-ssh' %}
 include:
   - split-gpg.split-gpg--configure-gpg
+{% endif %}
+
+split-ssh--ensure-rclocal-exists:
+  file.managed:
+    - name: /rw/config/rc.local
+    - user: root
+    - group: root
+    - mode: 755
+    - create: True
+    - replace: False
+
+split-ssh--configure-rclocal:
+  file.blockreplace:
+    - name: /rw/config/rc.local
+    - marker_start: "# {mark} SPLIT_SSH (SALT) - START"
+    - marker_end: "# {mark} SPLIT_SSH (SALT) - END"
+    - content: |
+        # SPLIT SSH CONFIGURATION >>>
+        # replace "vault" with your AppVM name which stores the ssh private key(s)
+        SSH_VAULT_VM="q-split-ssh"
+        
+        if [ "$SSH_VAULT_VM" != "" ]; then
+          export SSH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM"
+          rm -f "$SSH_SOCK"
+          sudo -u user /bin/sh -c "umask 177 && exec socat 'UNIX-LISTEN:$SSH_SOCK,fork' 'EXEC:qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent'" &
+        fi
+        # <<< SPLIT SSH CONFIGURATION
+    - append_if_not_found: True
+    - show_changes: True
+    - require:
+      - file: split-ssh--ensure-rclocal-exists
+
+split-ssh--ensure-bashrc-exists:
+  file.managed:
+    - name: /home/user/.bashrc
+    - user: root
+    - group: root
+    - mode: 644
+    - create: True
+    - replace: False
 
-split-ssh--configure-app-ssh:
-  file.append:
-    - names:
-      - /rw/config/rc.local:
-        - source: salt://split-ssh/files/rc.local
-      - /home/user/.bashrc:
-        - source: salt://split-ssh/files/bashrc
+split-ssh--configure-bashrc:
+  file.blockreplace:
+    - name: /home/user/.bashrc
+    - marker_start: "# {mark} SPLIT_SSH (SALT) - START"
+    - marker_end: "# {mark} SPLIT_SSH (SALT) - END"
+    - content: |
+        # SPLIT SSH CONFIGURATION >>>
+        # replace "vault" with your AppVM name which stores the ssh private key(s)
+        SSH_VAULT_VM="q-split-ssh"
+        
+        if [ "$SSH_VAULT_VM" != "" ]; then
+                export SSH_AUTH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM"
+        fi
+        # <<< SPLIT SSH CONFIGURATION
+    - append_if_not_found: True
+    - show_changes: True
+    - require:
+      - file: split-ssh--ensure-bashrc-exists
 
 {% endif %}
-- 
2.39.5