From a029310d2225c0ad0beea9a71da6c7b08393f89b Mon Sep 17 00:00:00 2001 From: Andreas Glashauser Date: Sun, 16 Mar 2025 17:20:10 +0100 Subject: [PATCH 1/1] Initial commit --- LICENSE | 9 ++ README.md | 5 + user_pillar/templates/init.sls | 7 + user_pillar/top.sls | 12 ++ .../archive/archive--create-app-qube.sls | 26 ++++ .../archive/archive--create-template.sls | 25 ++++ .../archive/archive--install-packages.sls | 9 ++ user_salt/archive/init.sls | 4 + user_salt/common/bash/files/conf | 3 + user_salt/common/bash/init.sls | 7 + .../common/darkmode/darkmode--configure.sls | 12 ++ .../darkmode/darkmode--install-packages.sls | 9 ++ user_salt/common/darkmode/files/darkmode.sh | 4 + user_salt/common/darkmode/files/environment | 1 + user_salt/common/darkmode/init.sls | 3 + .../disk-trimming--configure.sls | 11 ++ .../common/disk-trimming/files/trim-script | 2 + user_salt/common/disk-trimming/init.sls | 2 + user_salt/common/journald/files/journald.conf | 47 +++++++ user_salt/common/journald/init.sls | 2 + .../common/journald/journald--configure.sls | 4 + user_salt/common/kernel/files/sound-modules | 10 ++ .../common/kernel/kernel--disable-sound.sls | 7 + .../logrotate/files/force_hourly_log_cleanup | 8 ++ user_salt/common/logrotate/init.sls | 10 ++ .../files/debian-sources.list | 66 +++++++++ .../files/fedora-qubes-r4.repo | 38 +++++ .../files/qubes-dom0.repo | 43 ++++++ .../onionize-repositories/files/qubes-r4.list | 33 +++++ .../files/qubes-templates.repo | 42 ++++++ .../onionize-repositories/files/sources.list | 9 ++ .../common/onionize-repositories/init.sls | 10 ++ ...-repositories--debian-install-packages.sls | 8 ++ ...onize-repositories--debian-qubes-repos.sls | 13 ++ .../onionize-repositories--debian-repos.sls | 13 ++ .../onionize-repositories--debian.sls | 4 + .../onionize-repositories--domzero-repos.sls | 8 ++ ...e-repositories--domzero-template-repos.sls | 8 ++ .../onionize-repositories--domzero.sls | 3 + ...onize-repositories--fedora-qubes-repos.sls | 11 ++ .../onionize-repositories--fedora.sls | 2 + ...epositories--whonix-debian-qubes-repos.sls | 11 ++ ...onionize-repositories--whonix-derivate.sls | 7 + .../onionize-repositories--whonix-repos.sls | 11 ++ .../onionize-repositories--whonix.sls | 5 + .../remove-unwanted--debian-packages.sls | 22 +++ ...move-unwanted--debian-systemd-services.sls | 15 ++ .../remove-unwanted--domzero-packages.sls | 11 ++ user_salt/common/xterm/files/Xresources | 7 + user_salt/common/xterm/init.sls | 10 ++ user_salt/common/xterm/xterm--configure.sls | 18 +++ .../default-dvm--create-template.sls | 26 ++++ .../default-dvm/default-dvm--qube-prefs.sls | 13 ++ user_salt/default-dvm/init.sls | 3 + .../default-mgmt-dvm--create-app-qube.sls | 18 +++ .../default-mgmt-dvm--create-template.sls | 27 ++++ .../default-mgmt-dvm--install-packages.sls | 10 ++ user_salt/default-mgmt-dvm/init.sls | 3 + user_salt/dev/dev--create-app-qube.sls | 21 +++ user_salt/dev/dev--create-template.sls | 26 ++++ user_salt/dev/dev--install-packages.sls | 14 ++ user_salt/dev/init.sls | 4 + .../mullvad-browser/files/mullvad-keyring.asc | 84 +++++++++++ user_salt/mullvad-browser/files/mullvad.list | 1 + user_salt/mullvad-browser/init.sls | 5 + .../mullvad-browser--configure-repos.sls | 11 ++ .../mullvad-browser--create-app-qube.sls | 21 +++ .../mullvad-browser--create-template.sls | 26 ++++ .../mullvad-browser--install-packages.sls | 13 ++ user_salt/mullvad-vpn/files/mullvad-dns.sh | 44 ++++++ .../mullvad-vpn/files/mullvad-keyring.asc | 84 +++++++++++ user_salt/mullvad-vpn/files/mullvad.list | 1 + .../files/qubes-firewall-user-script | 4 + user_salt/mullvad-vpn/files/rc.local | 1 + user_salt/mullvad-vpn/init.sls | 6 + .../mullvad-vpn--configure-repos.sls | 11 ++ .../mullvad-vpn--create-app-qubes.sls | 85 +++++++++++ .../mullvad-vpn--create-template.sls | 36 +++++ .../mullvad-vpn/mullvad-vpn--dns-config.sls | 18 +++ .../mullvad-vpn--install-packages.sls | 15 ++ user_salt/notes/init.sls | 4 + user_salt/notes/notes--create-app-qube.sls | 23 +++ user_salt/notes/notes--create-template.sls | 26 ++++ user_salt/notes/notes--install-packages.sls | 8 ++ user_salt/pwmanager/init.sls | 4 + .../pwmanager/pwmanager--create-app-qube.sls | 21 +++ .../pwmanager/pwmanager--create-template.sls | 25 ++++ .../pwmanager/pwmanager--install-packages.sls | 9 ++ user_salt/split-btc/init.sls | 5 + .../split-btc/split-btc--create-app-qubes.sls | 45 ++++++ .../split-btc/split-btc--create-qubes.sls | 39 +++++ .../split-btc/split-btc--create-templates.sls | 44 ++++++ .../split-btc/split-btc--install-packages.sls | 23 +++ .../split-gpg-legacy/files/gpg-split-domain | 1 + user_salt/split-gpg-legacy/init.sls | 5 + .../split-gpg-legacy--create-app-qube.sls | 21 +++ .../split-gpg-legacy--create-qube.sls | 21 +++ .../split-gpg-legacy--create-template.sls | 27 ++++ .../split-gpg-legacy--install-packages.sls | 11 ++ user_salt/split-gpg/files/30-user-gpg2.policy | 1 + user_salt/split-gpg/files/ownertrust-export | 3 + user_salt/split-gpg/files/public-keys-export | Bin 0 -> 411 bytes user_salt/split-gpg/init.sls | 6 + .../split-gpg/split-gpg--configure-gpg.sls | 24 ++++ .../split-gpg/split-gpg--configure-policy.sls | 8 ++ .../split-gpg/split-gpg--create-app-qube.sls | 21 +++ .../split-gpg/split-gpg--create-qube.sls | 21 +++ .../split-gpg/split-gpg--create-template.sls | 27 ++++ .../split-gpg/split-gpg--install-packages.sls | 19 +++ user_salt/split-ssh/files/50-ssh.policy | 2 + user_salt/split-ssh/files/bashrc | 9 ++ user_salt/split-ssh/files/qubes.SshAgent | 8 ++ user_salt/split-ssh/files/rc.local | 10 ++ user_salt/split-ssh/files/ssh-add.desktop | 4 + user_salt/split-ssh/init.sls | 6 + user_salt/split-ssh/split-ssh--configure.sls | 47 +++++++ .../split-ssh/split-ssh--create-app-qubes.sls | 43 ++++++ .../split-ssh/split-ssh--create-qubes.sls | 37 +++++ .../split-ssh/split-ssh--create-templates.sls | 44 ++++++ .../split-ssh/split-ssh--install-packages.sls | 25 ++++ user_salt/sys-audio/files/50-sys-audio.policy | 27 ++++ user_salt/sys-audio/init.sls | 6 + .../sys-audio/sys-audio--configure-policy.sls | 8 ++ .../sys-audio/sys-audio--create-app-qube.sls | 22 +++ .../sys-audio/sys-audio--create-sys-qube.sls | 25 ++++ .../sys-audio/sys-audio--create-template.sls | 26 ++++ .../sys-audio/sys-audio--install-packages.sls | 15 ++ user_salt/sys-firewall/init.sls | 5 + .../sys-firewall--configure-sys-qube.sls | 19 +++ .../sys-firewall--create-app-qube.sls | 19 +++ .../sys-firewall--create-template.sls | 26 ++++ .../sys-firewall--install-packages.sls | 10 ++ user_salt/sys-net/init.sls | 5 + .../sys-net/sys-net--configure-sys-qube.sls | 17 +++ .../sys-net/sys-net--create-app-qube.sls | 19 +++ .../sys-net/sys-net--create-template.sls | 26 ++++ .../sys-net/sys-net--install-packages.sls | 13 ++ user_salt/sys-usb/init.sls | 5 + .../sys-usb/sys-usb--configure-sys-qube.sls | 17 +++ .../sys-usb/sys-usb--create-app-qube.sls | 19 +++ .../sys-usb/sys-usb--create-template.sls | 26 ++++ .../sys-usb/sys-usb--install-packages.sls | 10 ++ user_salt/sys-whonix/init.sls | 2 + user_salt/sys-whonix/sys-whonix--prefs.sls | 17 +++ .../templates--install-debian-minimal.sls | 17 +++ .../templates--install-fedora-minimal.sls | 17 +++ .../templates--install-whonix-gw.sls | 17 +++ .../templates--install-whonix-ws.sls | 17 +++ user_salt/templates/versions.jinja | 3 + user_salt/top.sls | 133 ++++++++++++++++++ user_salt/whonix-workstation-dvm/init.sls | 2 + ...whonix-workstation-dvm--app-qube-prefs.sls | 17 +++ 152 files changed, 2632 insertions(+) create mode 100644 LICENSE create mode 100644 README.md create mode 100644 user_pillar/templates/init.sls create mode 100644 user_pillar/top.sls create mode 100644 user_salt/archive/archive--create-app-qube.sls create mode 100644 user_salt/archive/archive--create-template.sls create mode 100644 user_salt/archive/archive--install-packages.sls create mode 100644 user_salt/archive/init.sls create mode 100644 user_salt/common/bash/files/conf create mode 100644 user_salt/common/bash/init.sls create mode 100644 user_salt/common/darkmode/darkmode--configure.sls create mode 100644 user_salt/common/darkmode/darkmode--install-packages.sls create mode 100644 user_salt/common/darkmode/files/darkmode.sh create mode 100644 user_salt/common/darkmode/files/environment create mode 100644 user_salt/common/darkmode/init.sls create mode 100644 user_salt/common/disk-trimming/disk-trimming--configure.sls create mode 100644 user_salt/common/disk-trimming/files/trim-script create mode 100644 user_salt/common/disk-trimming/init.sls create mode 100644 user_salt/common/journald/files/journald.conf create mode 100644 user_salt/common/journald/init.sls create mode 100644 user_salt/common/journald/journald--configure.sls create mode 100644 user_salt/common/kernel/files/sound-modules create mode 100644 user_salt/common/kernel/kernel--disable-sound.sls create mode 100644 user_salt/common/logrotate/files/force_hourly_log_cleanup create mode 100644 user_salt/common/logrotate/init.sls create mode 100644 user_salt/common/onionize-repositories/files/debian-sources.list create mode 100644 user_salt/common/onionize-repositories/files/fedora-qubes-r4.repo create mode 100644 user_salt/common/onionize-repositories/files/qubes-dom0.repo create mode 100644 user_salt/common/onionize-repositories/files/qubes-r4.list create mode 100644 user_salt/common/onionize-repositories/files/qubes-templates.repo create mode 100644 user_salt/common/onionize-repositories/files/sources.list create mode 100644 user_salt/common/onionize-repositories/init.sls create mode 100644 user_salt/common/onionize-repositories/onionize-repositories--debian-install-packages.sls create mode 100644 user_salt/common/onionize-repositories/onionize-repositories--debian-qubes-repos.sls create mode 100644 user_salt/common/onionize-repositories/onionize-repositories--debian-repos.sls create mode 100644 user_salt/common/onionize-repositories/onionize-repositories--debian.sls create mode 100644 user_salt/common/onionize-repositories/onionize-repositories--domzero-repos.sls create mode 100644 user_salt/common/onionize-repositories/onionize-repositories--domzero-template-repos.sls create mode 100644 user_salt/common/onionize-repositories/onionize-repositories--domzero.sls create mode 100644 user_salt/common/onionize-repositories/onionize-repositories--fedora-qubes-repos.sls create mode 100644 user_salt/common/onionize-repositories/onionize-repositories--fedora.sls create mode 100644 user_salt/common/onionize-repositories/onionize-repositories--whonix-debian-qubes-repos.sls create mode 100644 user_salt/common/onionize-repositories/onionize-repositories--whonix-derivate.sls create mode 100644 user_salt/common/onionize-repositories/onionize-repositories--whonix-repos.sls create mode 100644 user_salt/common/onionize-repositories/onionize-repositories--whonix.sls create mode 100644 user_salt/common/remove-unwanted/remove-unwanted--debian-packages.sls create mode 100644 user_salt/common/remove-unwanted/remove-unwanted--debian-systemd-services.sls create mode 100644 user_salt/common/remove-unwanted/remove-unwanted--domzero-packages.sls create mode 100644 user_salt/common/xterm/files/Xresources create mode 100644 user_salt/common/xterm/init.sls create mode 100644 user_salt/common/xterm/xterm--configure.sls create mode 100644 user_salt/default-dvm/default-dvm--create-template.sls create mode 100644 user_salt/default-dvm/default-dvm--qube-prefs.sls create mode 100644 user_salt/default-dvm/init.sls create mode 100644 user_salt/default-mgmt-dvm/default-mgmt-dvm--create-app-qube.sls create mode 100644 user_salt/default-mgmt-dvm/default-mgmt-dvm--create-template.sls create mode 100644 user_salt/default-mgmt-dvm/default-mgmt-dvm--install-packages.sls create mode 100644 user_salt/default-mgmt-dvm/init.sls create mode 100644 user_salt/dev/dev--create-app-qube.sls create mode 100644 user_salt/dev/dev--create-template.sls create mode 100644 user_salt/dev/dev--install-packages.sls create mode 100644 user_salt/dev/init.sls create mode 100644 user_salt/mullvad-browser/files/mullvad-keyring.asc create mode 100644 user_salt/mullvad-browser/files/mullvad.list create mode 100644 user_salt/mullvad-browser/init.sls create mode 100644 user_salt/mullvad-browser/mullvad-browser--configure-repos.sls create mode 100644 user_salt/mullvad-browser/mullvad-browser--create-app-qube.sls create mode 100644 user_salt/mullvad-browser/mullvad-browser--create-template.sls create mode 100644 user_salt/mullvad-browser/mullvad-browser--install-packages.sls create mode 100644 user_salt/mullvad-vpn/files/mullvad-dns.sh create mode 100644 user_salt/mullvad-vpn/files/mullvad-keyring.asc create mode 100644 user_salt/mullvad-vpn/files/mullvad.list create mode 100644 user_salt/mullvad-vpn/files/qubes-firewall-user-script create mode 100644 user_salt/mullvad-vpn/files/rc.local create mode 100644 user_salt/mullvad-vpn/init.sls create mode 100644 user_salt/mullvad-vpn/mullvad-vpn--configure-repos.sls create mode 100644 user_salt/mullvad-vpn/mullvad-vpn--create-app-qubes.sls create mode 100644 user_salt/mullvad-vpn/mullvad-vpn--create-template.sls create mode 100644 user_salt/mullvad-vpn/mullvad-vpn--dns-config.sls create mode 100644 user_salt/mullvad-vpn/mullvad-vpn--install-packages.sls create mode 100644 user_salt/notes/init.sls create mode 100644 user_salt/notes/notes--create-app-qube.sls create mode 100644 user_salt/notes/notes--create-template.sls create mode 100644 user_salt/notes/notes--install-packages.sls create mode 100644 user_salt/pwmanager/init.sls create mode 100644 user_salt/pwmanager/pwmanager--create-app-qube.sls create mode 100644 user_salt/pwmanager/pwmanager--create-template.sls create mode 100644 user_salt/pwmanager/pwmanager--install-packages.sls create mode 100644 user_salt/split-btc/init.sls create mode 100644 user_salt/split-btc/split-btc--create-app-qubes.sls create mode 100644 user_salt/split-btc/split-btc--create-qubes.sls create mode 100644 user_salt/split-btc/split-btc--create-templates.sls create mode 100644 user_salt/split-btc/split-btc--install-packages.sls create mode 100644 user_salt/split-gpg-legacy/files/gpg-split-domain create mode 100644 user_salt/split-gpg-legacy/init.sls create mode 100644 user_salt/split-gpg-legacy/split-gpg-legacy--create-app-qube.sls create mode 100644 user_salt/split-gpg-legacy/split-gpg-legacy--create-qube.sls create mode 100644 user_salt/split-gpg-legacy/split-gpg-legacy--create-template.sls create mode 100644 user_salt/split-gpg-legacy/split-gpg-legacy--install-packages.sls create mode 100644 user_salt/split-gpg/files/30-user-gpg2.policy create mode 100644 user_salt/split-gpg/files/ownertrust-export create mode 100644 user_salt/split-gpg/files/public-keys-export create mode 100644 user_salt/split-gpg/init.sls create mode 100644 user_salt/split-gpg/split-gpg--configure-gpg.sls create mode 100644 user_salt/split-gpg/split-gpg--configure-policy.sls create mode 100644 user_salt/split-gpg/split-gpg--create-app-qube.sls create mode 100644 user_salt/split-gpg/split-gpg--create-qube.sls create mode 100644 user_salt/split-gpg/split-gpg--create-template.sls create mode 100644 user_salt/split-gpg/split-gpg--install-packages.sls create mode 100644 user_salt/split-ssh/files/50-ssh.policy create mode 100644 user_salt/split-ssh/files/bashrc create mode 100644 user_salt/split-ssh/files/qubes.SshAgent create mode 100644 user_salt/split-ssh/files/rc.local create mode 100644 user_salt/split-ssh/files/ssh-add.desktop create mode 100644 user_salt/split-ssh/init.sls create mode 100644 user_salt/split-ssh/split-ssh--configure.sls create mode 100644 user_salt/split-ssh/split-ssh--create-app-qubes.sls create mode 100644 user_salt/split-ssh/split-ssh--create-qubes.sls create mode 100644 user_salt/split-ssh/split-ssh--create-templates.sls create mode 100644 user_salt/split-ssh/split-ssh--install-packages.sls create mode 100644 user_salt/sys-audio/files/50-sys-audio.policy create mode 100644 user_salt/sys-audio/init.sls create mode 100644 user_salt/sys-audio/sys-audio--configure-policy.sls create mode 100644 user_salt/sys-audio/sys-audio--create-app-qube.sls create mode 100644 user_salt/sys-audio/sys-audio--create-sys-qube.sls create mode 100644 user_salt/sys-audio/sys-audio--create-template.sls create mode 100644 user_salt/sys-audio/sys-audio--install-packages.sls create mode 100644 user_salt/sys-firewall/init.sls create mode 100644 user_salt/sys-firewall/sys-firewall--configure-sys-qube.sls create mode 100644 user_salt/sys-firewall/sys-firewall--create-app-qube.sls create mode 100644 user_salt/sys-firewall/sys-firewall--create-template.sls create mode 100644 user_salt/sys-firewall/sys-firewall--install-packages.sls create mode 100644 user_salt/sys-net/init.sls create mode 100644 user_salt/sys-net/sys-net--configure-sys-qube.sls create mode 100644 user_salt/sys-net/sys-net--create-app-qube.sls create mode 100644 user_salt/sys-net/sys-net--create-template.sls create mode 100644 user_salt/sys-net/sys-net--install-packages.sls create mode 100644 user_salt/sys-usb/init.sls create mode 100644 user_salt/sys-usb/sys-usb--configure-sys-qube.sls create mode 100644 user_salt/sys-usb/sys-usb--create-app-qube.sls create mode 100644 user_salt/sys-usb/sys-usb--create-template.sls create mode 100644 user_salt/sys-usb/sys-usb--install-packages.sls create mode 100644 user_salt/sys-whonix/init.sls create mode 100644 user_salt/sys-whonix/sys-whonix--prefs.sls create mode 100644 user_salt/templates/templates--install-debian-minimal.sls create mode 100644 user_salt/templates/templates--install-fedora-minimal.sls create mode 100644 user_salt/templates/templates--install-whonix-gw.sls create mode 100644 user_salt/templates/templates--install-whonix-ws.sls create mode 100644 user_salt/templates/versions.jinja create mode 100644 user_salt/top.sls create mode 100644 user_salt/whonix-workstation-dvm/init.sls create mode 100644 user_salt/whonix-workstation-dvm/whonix-workstation-dvm--app-qube-prefs.sls diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..d4d120a --- /dev/null +++ b/LICENSE @@ -0,0 +1,9 @@ +# Released under MIT License + +Copyright (c) 2025 Andreas Glashauser. + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..2baf6b2 --- /dev/null +++ b/README.md @@ -0,0 +1,5 @@ +This repository contains my personal QubesOs SaltStack configuration states. You are welcome to use them as-is, or even better, draw inspiration from them for your own setup and adapt them to your needs. + +For detailed information on QubesOs SaltStack integration, please refer to the [official documentation](https://www.qubes-os.org/doc/salt/). + +If you encounter any issues, have questions, or require further clarification, feel free to contact me. diff --git a/user_pillar/templates/init.sls b/user_pillar/templates/init.sls new file mode 100644 index 0000000..02ea355 --- /dev/null +++ b/user_pillar/templates/init.sls @@ -0,0 +1,7 @@ +template: + debian: + - version: 12 + fedora: + - version: 41 + whonix: + - version: 17 diff --git a/user_pillar/top.sls b/user_pillar/top.sls new file mode 100644 index 0000000..c759028 --- /dev/null +++ b/user_pillar/top.sls @@ -0,0 +1,12 @@ +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : +# + +# ===== User Defined Salt Pillars ============================================= + +#user: +# '*': +# - custom + +user: + '*': + - templates diff --git a/user_salt/archive/archive--create-app-qube.sls b/user_salt/archive/archive--create-app-qube.sls new file mode 100644 index 0000000..fa7a2bc --- /dev/null +++ b/user_salt/archive/archive--create-app-qube.sls @@ -0,0 +1,26 @@ +{% if grains['id'] == 'dom0' %} + +include: + - archive.archive--create-template + +archive--create-app-qube: + qvm.vm: + - name: q-archive + - present: + - template: template-archive + - label: black + - prefs: + - label: black + - guivm: dom0 + - audiovm: + - netvm: + - features: + - set: + - menu-items: debian-xterm.desktop + - service: + - enable: + - shutdown-idle + - require: + - qvm: archive--create-template + +{% endif %} diff --git a/user_salt/archive/archive--create-template.sls b/user_salt/archive/archive--create-template.sls new file mode 100644 index 0000000..73688ff --- /dev/null +++ b/user_salt/archive/archive--create-template.sls @@ -0,0 +1,25 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-debian-minimal + +{% if grains['id'] == 'dom0' %} + +archive--create-template: + qvm.clone: + - name: template-archive + - source: debian-{{ version.debian }}-minimal + - class: TemplateVM + - require: + - qvm: templates--install-debian-{{ version.debian }}-minimal + +archive--create-template-prefs: + qvm.prefs: + - name: template-archive + - audiovm: + - guivm: dom0 + - netvm: + - require: + - qvm: archive--create-template + +{% endif %} diff --git a/user_salt/archive/archive--install-packages.sls b/user_salt/archive/archive--install-packages.sls new file mode 100644 index 0000000..1b210f7 --- /dev/null +++ b/user_salt/archive/archive--install-packages.sls @@ -0,0 +1,9 @@ +{% if grains['id'] == 'template-archive' %} + +archive--install-packages: + pkg.installed: + - refresh: True + - pkgs: + - qubes-app-shutdown-idle + +{% endif %} diff --git a/user_salt/archive/init.sls b/user_salt/archive/init.sls new file mode 100644 index 0000000..bf7351b --- /dev/null +++ b/user_salt/archive/init.sls @@ -0,0 +1,4 @@ +include: + - archive.archive--create-template + - archive.archive--install-packages + - archive.archive--create-app-qube diff --git a/user_salt/common/bash/files/conf b/user_salt/common/bash/files/conf new file mode 100644 index 0000000..534784a --- /dev/null +++ b/user_salt/common/bash/files/conf @@ -0,0 +1,3 @@ +#!/bin/bash +export HISTSIZE=5 +export HISTFILESIZE=5 diff --git a/user_salt/common/bash/init.sls b/user_salt/common/bash/init.sls new file mode 100644 index 0000000..9b2daa6 --- /dev/null +++ b/user_salt/common/bash/init.sls @@ -0,0 +1,7 @@ +bash--limit-bash-history: + file.managed: + - name: /etc/profile.d/limit_bash_history.sh + - source: salt://common/bash/files/conf + - mode: 755 + - user: root + - group: root diff --git a/user_salt/common/darkmode/darkmode--configure.sls b/user_salt/common/darkmode/darkmode--configure.sls new file mode 100644 index 0000000..b4b7b5d --- /dev/null +++ b/user_salt/common/darkmode/darkmode--configure.sls @@ -0,0 +1,12 @@ +darkmode--configure-profile: + file.managed: + - name: /etc/profile.d/darkmode.sh + - source: salt://common/darkmode/files/darkmode.sh + - user: root + - group: root + - mode: 755 + +darkmode--configure-environment: + file.append: + - name: /etc/environment + - source: salt://common/darkmode/files/environment diff --git a/user_salt/common/darkmode/darkmode--install-packages.sls b/user_salt/common/darkmode/darkmode--install-packages.sls new file mode 100644 index 0000000..07b174a --- /dev/null +++ b/user_salt/common/darkmode/darkmode--install-packages.sls @@ -0,0 +1,9 @@ +{% if grains['id'] == 'dom0' %} + +darkmode--dom0-install-packages: + pkg.installed: + - refresh: True + - pkgs: + - qt5-qtstyleplugins + +{% endif %} diff --git a/user_salt/common/darkmode/files/darkmode.sh b/user_salt/common/darkmode/files/darkmode.sh new file mode 100644 index 0000000..e420f4b --- /dev/null +++ b/user_salt/common/darkmode/files/darkmode.sh @@ -0,0 +1,4 @@ +#!/bin/bash +export QT_QPA_PLATFORMTHEME=gtk2 +export QT_STYLE_OVERRIDE=Adwaita-dark +export GTK_THEME=Adwaita:dark diff --git a/user_salt/common/darkmode/files/environment b/user_salt/common/darkmode/files/environment new file mode 100644 index 0000000..acaddfc --- /dev/null +++ b/user_salt/common/darkmode/files/environment @@ -0,0 +1 @@ +QT_QPA_PLATFORMTHEME=gtk2 diff --git a/user_salt/common/darkmode/init.sls b/user_salt/common/darkmode/init.sls new file mode 100644 index 0000000..a813d5d --- /dev/null +++ b/user_salt/common/darkmode/init.sls @@ -0,0 +1,3 @@ +include: + - common.darkmode.darkmode--configure + - common.darkmode.darkmode--install-packages diff --git a/user_salt/common/disk-trimming/disk-trimming--configure.sls b/user_salt/common/disk-trimming/disk-trimming--configure.sls new file mode 100644 index 0000000..c6e03e0 --- /dev/null +++ b/user_salt/common/disk-trimming/disk-trimming--configure.sls @@ -0,0 +1,11 @@ +{% if grains['id'] == 'dom0' %} + +disk-trimming--configure-cron-trim: + file.managed: + - name: /etc/cron.hourly/trim + - source: salt://common/disk-trimming/files/trim-script + - user: root + - group: root + - mode: 755 + +{% endif %} diff --git a/user_salt/common/disk-trimming/files/trim-script b/user_salt/common/disk-trimming/files/trim-script new file mode 100644 index 0000000..c5af92b --- /dev/null +++ b/user_salt/common/disk-trimming/files/trim-script @@ -0,0 +1,2 @@ +#!/bin/bash +/sbin/fstrim --all diff --git a/user_salt/common/disk-trimming/init.sls b/user_salt/common/disk-trimming/init.sls new file mode 100644 index 0000000..de9c916 --- /dev/null +++ b/user_salt/common/disk-trimming/init.sls @@ -0,0 +1,2 @@ +include: + - common.disk-trimming.disk-trimming--configure diff --git a/user_salt/common/journald/files/journald.conf b/user_salt/common/journald/files/journald.conf new file mode 100644 index 0000000..22da64f --- /dev/null +++ b/user_salt/common/journald/files/journald.conf @@ -0,0 +1,47 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it under the +# terms of the GNU Lesser General Public License as published by the Free +# Software Foundation; either version 2.1 of the License, or (at your option) +# any later version. +# +# Entries in this file show the compile time defaults. Local configuration +# should be created by either modifying this file, or by creating "drop-ins" in +# the journald.conf.d/ subdirectory. The latter is generally recommended. +# Defaults can be restored by simply deleting this file and all drop-ins. +# +# Use 'systemd-analyze cat-config systemd/journald.conf' to display the full config. +# +# See journald.conf(5) for details. + +[Journal] +Storage=none +#Compress=yes +#Seal=yes +#SplitMode=uid +#SyncIntervalSec=5m +#RateLimitIntervalSec=30s +#RateLimitBurst=10000 +#SystemMaxUse= +#SystemKeepFree= +#SystemMaxFileSize= +#SystemMaxFiles=100 +#RuntimeMaxUse= +#RuntimeKeepFree= +#RuntimeMaxFileSize= +#RuntimeMaxFiles=100 +#MaxRetentionSec= +#MaxFileSec=1month +#ForwardToSyslog=yes +#ForwardToKMsg=no +#ForwardToConsole=no +#ForwardToWall=yes +#TTYPath=/dev/console +#MaxLevelStore=debug +#MaxLevelSyslog=debug +#MaxLevelKMsg=notice +#MaxLevelConsole=info +#MaxLevelWall=emerg +#LineMax=48K +#ReadKMsg=yes +#Audit=no diff --git a/user_salt/common/journald/init.sls b/user_salt/common/journald/init.sls new file mode 100644 index 0000000..a07866d --- /dev/null +++ b/user_salt/common/journald/init.sls @@ -0,0 +1,2 @@ +include: + - common.journald.journald--configure diff --git a/user_salt/common/journald/journald--configure.sls b/user_salt/common/journald/journald--configure.sls new file mode 100644 index 0000000..0e5a7c8 --- /dev/null +++ b/user_salt/common/journald/journald--configure.sls @@ -0,0 +1,4 @@ +journald--configure: + file.managed: + - name: /etc/systemd/journald.conf + - source: salt://common/journald/files/journald.conf diff --git a/user_salt/common/kernel/files/sound-modules b/user_salt/common/kernel/files/sound-modules new file mode 100644 index 0000000..664dd91 --- /dev/null +++ b/user_salt/common/kernel/files/sound-modules @@ -0,0 +1,10 @@ +blacklist snd +blacklist snd_timer +blacklist snd_seq_device +blacklist snd_seq +blacklist snd_hrtimer +blacklist snd_seq_dummy +blacklist snd_pcm +blacklist soundcore +blacklist pcspkr +blacklist snd_pcsp diff --git a/user_salt/common/kernel/kernel--disable-sound.sls b/user_salt/common/kernel/kernel--disable-sound.sls new file mode 100644 index 0000000..85d2b19 --- /dev/null +++ b/user_salt/common/kernel/kernel--disable-sound.sls @@ -0,0 +1,7 @@ +{% if grains['id'] != 'dom0' %} + +/etc/modprobe.d/blacklist.conf: + file.append: + - source: salt://common/kernel/files/sound-modules + +{% endif %} diff --git a/user_salt/common/logrotate/files/force_hourly_log_cleanup b/user_salt/common/logrotate/files/force_hourly_log_cleanup new file mode 100644 index 0000000..702e88f --- /dev/null +++ b/user_salt/common/logrotate/files/force_hourly_log_cleanup @@ -0,0 +1,8 @@ +/var/log/*log /var/log/**/*log { + hourly + missingok + rotate 1 + size 1k + copytruncate + create 0644 root root +} diff --git a/user_salt/common/logrotate/init.sls b/user_salt/common/logrotate/init.sls new file mode 100644 index 0000000..1a90ab1 --- /dev/null +++ b/user_salt/common/logrotate/init.sls @@ -0,0 +1,10 @@ +{% if grains['id'] == 'dom0' %} + +/etc/logrotate.d/force_hourly_log_cleanup: + file.managed: + - source: salt://common/logrotate/files/force_hourly_log_cleanup + - mode: 755 + - user: root + - group: root + +{% endif %} diff --git a/user_salt/common/onionize-repositories/files/debian-sources.list b/user_salt/common/onionize-repositories/files/debian-sources.list new file mode 100644 index 0000000..d0c9e23 --- /dev/null +++ b/user_salt/common/onionize-repositories/files/debian-sources.list @@ -0,0 +1,66 @@ +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## This is a default sources.list for Anonymity Linux Distributions, +## which are derivatives of Debian. + +## If you want to see the example, which came with the upstream +## distribution, see: /usr/share/doc/apt/examples/sources.list + +## Instead of directly editing this file, +## the user is advised to create the following file: +## /etc/apt/sources.list.d/user.list +## This is because when this package gets updated, +## /etc/apt/sources.list.d/debian.list will be overwritten and may receive new +## new default values and comments. The entire folder /etc/apt/sources.list.d/ +## gets scanned for additional sources.list files by apt-get. +## The user may keep their settings even after updating this package. +## +## Without graphical user interface, you can use for example: +## sudoedit /etc/apt/sources.list.d/user.list +## With graphical user interface (Xfce), you can use for example: +## gsudoedit /etc/apt/sources.list.d/user.list + +#deb tor+https://deb.debian.org/debian bookworm main contrib non-free non-free-firmware +#deb tor+https://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware +#deb tor+https://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware +#deb tor+https://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware +deb tor+https://fasttrack.debian.net/debian bookworm-fasttrack main contrib non-free + +deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm main contrib non-free non-free-firmware +deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-updates main contrib non-free non-free-firmware +deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bookworm-security main contrib non-free non-free-firmware +deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-backports main contrib non-free non-free-firmware +## No onion for fasttrack yet: https://salsa.debian.org/fasttrack-team/support/-/issues/27 + +#### + +#deb-src tor+https://deb.debian.org/debian bookworm main contrib non-free non-free-firmware +#deb-src tor+https://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware +#deb-src tor+https://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware +#deb-src tor+https://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware +#deb-src tor+https://fasttrack.debian.net/debian bookworm-fasttrack main contrib non-free + +#deb-src tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm main contrib non-free non-free-firmware +#deb-src tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-updates main contrib non-free non-free-firmware +#deb-src tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bookworm-security main contrib non-free non-free-firmware +#deb-src tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-backports main contrib non-free +## No onion for fasttrack yet: https://salsa.debian.org/fasttrack-team/support/-/issues/27 + +#### meta start +#### project Whonix and Kicksecure +#### category networking and apt +#### description +## Debian APT repository sources.list +## +## Configured to use tor+https. +## +## Technical notes: +## - Why are sources (deb-src) disabled by default? +## Because those are not required by most users, to save time while +## running sudo apt update. +## - See also: https://www.debian.org/security/ +## - See also: /etc/apt/sources.list.d/ +## - Same format as https://onion.debian.org +## - https://fasttrack.debian.net/ +#### meta end diff --git a/user_salt/common/onionize-repositories/files/fedora-qubes-r4.repo b/user_salt/common/onionize-repositories/files/fedora-qubes-r4.repo new file mode 100644 index 0000000..4306a68 --- /dev/null +++ b/user_salt/common/onionize-repositories/files/fedora-qubes-r4.repo @@ -0,0 +1,38 @@ +[qubes-vm-r4.2-current] +name = Qubes OS Repository for VM (updates) +baseurl = https://yum.qubes-os.org/r4.2/current/vm/fc$releasever +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/current/vm/fc$releasever +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4.2-primary +skip_if_unavailable=False +gpgcheck = 1 +repo_gpgcheck = 1 +enabled=1 + +[qubes-vm-r4.2-current-testing] +name = Qubes OS Repository for VM (updates-testing) +baseurl = https://yum.qubes-os.org/r4.2/current-testing/vm/fc$releasever +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/current-testing/vm/fc$releasever +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4.2-primary +skip_if_unavailable=False +gpgcheck = 1 +repo_gpgcheck = 1 +enabled=0 + +[qubes-vm-r4.2-security-testing] +name = Qubes OS Repository for VM (security-testing) +baseurl = https://yum.qubes-os.org/r4.2/security-testing/vm/fc$releasever +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/security-testing/vm/fc$releasever +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4.2-primary +skip_if_unavailable=False +gpgcheck = 1 +repo_gpgcheck = 1 +enabled=0 + +[qubes-vm-r4.2-unstable] +name = Qubes OS Repository for VM (unstable) +baseurl = https://yum.qubes-os.org/r4.2/unstable/vm/fc$releasever +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/unstable/vm/fc$releasever +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4.2-unstable +gpgcheck = 1 +repo_gpgcheck = 1 +enabled=0 diff --git a/user_salt/common/onionize-repositories/files/qubes-dom0.repo b/user_salt/common/onionize-repositories/files/qubes-dom0.repo new file mode 100644 index 0000000..9db8994 --- /dev/null +++ b/user_salt/common/onionize-repositories/files/qubes-dom0.repo @@ -0,0 +1,43 @@ +[qubes-dom0-current] +name = Qubes Host Repository (updates) +baseurl = https://yum.qubes-os.org/r$releasever/current/host/fc37 +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current/host/fc37 +#metalink = https://yum.qubes-os.org/r$releasever/current/host/fc37/repodata/repomd.xml.metalink +skip_if_unavailable=False +enabled = 1 +metadata_expire = 6h +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary + +[qubes-dom0-current-testing] +name = Qubes Host Repository (updates-testing) +baseurl = https://yum.qubes-os.org/r$releasever/current-testing/host/fc37 +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current-testing/host/fc37 +#metalink = https://yum.qubes-os.org/r$releasever/current-testing/host/fc37/repodata/repomd.xml.metalink +skip_if_unavailable=False +enabled = 0 +metadata_expire = 6h +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary + +[qubes-dom0-security-testing] +name = Qubes Host Repository (security-testing) +baseurl = https://yum.qubes-os.org/r$releasever/security-testing/host/fc37 +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/security-testing/host/fc37 +#metalink = https://yum.qubes-os.org/r$releasever/security-testing/host/fc37/repodata/repomd.xml.metalink +skip_if_unavailable=False +enabled = 0 +metadata_expire = 6h +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary + +[qubes-dom0-unstable] +name = Qubes Host Repository (unstable) +baseurl = https://yum.qubes-os.org/r$releasever/unstable/host/fc37 +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/unstable/host/fc37 +#metalink = https://yum.qubes-os.org/r$releasever/unstable/host/fc37/repodata/repomd.xml.metalink +skip_if_unavailable=False +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-unstable + diff --git a/user_salt/common/onionize-repositories/files/qubes-r4.list b/user_salt/common/onionize-repositories/files/qubes-r4.list new file mode 100644 index 0000000..3e571a7 --- /dev/null +++ b/user_salt/common/onionize-repositories/files/qubes-r4.list @@ -0,0 +1,33 @@ +# Main qubes updates repository +deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm main +#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm main + +# Qubes updates candidates repository +#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-testing main +#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm-testing main + +# Qubes security updates testing repository +#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-securitytesting main +#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm-securitytesting main + +# Qubes experimental/unstable repository +#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] https://deb.qubes-os.org/r4.2/vm bookworm-unstable main +#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] https://deb.qubes-os.org/r4.2/vm bookworm-unstable main + + +# Qubes Tor updates repositories +# Main qubes updates repository +#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm main +#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm main + +# Qubes updates candidates repository +#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-testing main +#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-testing main + +# Qubes security updates testing repository +#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-securitytesting main +#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-securitytesting main + +# Qubes experimental/unstable repository +#deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-unstable main +#deb-src [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring-4.2.gpg ] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm-unstable main diff --git a/user_salt/common/onionize-repositories/files/qubes-templates.repo b/user_salt/common/onionize-repositories/files/qubes-templates.repo new file mode 100644 index 0000000..76c8fe0 --- /dev/null +++ b/user_salt/common/onionize-repositories/files/qubes-templates.repo @@ -0,0 +1,42 @@ +[qubes-templates-itl] +name = Qubes Templates repository +baseurl = https://yum.qubes-os.org/r$releasever/templates-itl +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-itl +#metalink = https://yum.qubes-os.org/r$releasever/templates-itl/repodata/repomd.xml.metalink +enabled = 1 +fastestmirror = 1 +metadata_expire = 7d +gpgcheck = 1 +gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-primary + +[qubes-templates-itl-testing] +name = Qubes Templates repository +baseurl = https://yum.qubes-os.org/r$releasever/templates-itl-testing +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-itl-testing +#metalink = https://yum.qubes-os.org/r$releasever/templates-itl-testing/repodata/repomd.xml.metalink +enabled = 0 +fastestmirror = 1 +gpgcheck = 1 +gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-primary + +[qubes-templates-community] +name = Qubes Community Templates repository +baseurl = https://yum.qubes-os.org/r$releasever/templates-community +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-community +#metalink = https://yum.qubes-os.org/r$releasever/templates-community/repodata/repomd.xml.metalink +enabled = 0 +fastestmirror = 1 +metadata_expire = 7d +gpgcheck = 1 +gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-templates-community + +[qubes-templates-community-testing] +name = Qubes Community Templates repository +baseurl = https://yum.qubes-os.org/r$releasever/templates-community-testing +#baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-community-testing +#metalink = https://yum.qubes-os.org/r$releasever/templates-community-testing/repodata/repomd.xml.metalink +enabled = 0 +fastestmirror = 1 +gpgcheck = 1 +gpgkey = file:///etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-$releasever-templates-community + diff --git a/user_salt/common/onionize-repositories/files/sources.list b/user_salt/common/onionize-repositories/files/sources.list new file mode 100644 index 0000000..deaa02c --- /dev/null +++ b/user_salt/common/onionize-repositories/files/sources.list @@ -0,0 +1,9 @@ +#deb https://deb.debian.org/debian bookworm main contrib non-free +deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm main contrib non-free non-free-firmware + +#deb https://deb.debian.org/debian-security bookworm-security main contrib non-free +deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bookworm-security main contrib non-free non-free-firmware + +#Optional Backports +#deb https://deb.debian.org/debian bookworm-backports main contrib non-free +deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-backports main contrib non-free non-free-firmware diff --git a/user_salt/common/onionize-repositories/init.sls b/user_salt/common/onionize-repositories/init.sls new file mode 100644 index 0000000..d61dd12 --- /dev/null +++ b/user_salt/common/onionize-repositories/init.sls @@ -0,0 +1,10 @@ +include: + - common.onionize-repositories.onionize-repositories--debian-install-packages + - common.onionize-repositories.onionize-repositories--debian-qubes-repos + - common.onionize-repositories.onionize-repositories--debian-repos + - common.onionize-repositories.onionize-repositories--domzero-repos + - common.onionize-repositories.onionize-repositories--domzero-template-repos + - common.onionize-repositories.onionize-repositories--fedora-qubes-repos + - common.onionize-repositories.onionize-repositories--whonix-debian-qubes-repos + - common.onionize-repositories.onionize-repositories--whonix-derivate + - common.onionize-repositories.onionize-repositories--whonix-repos diff --git a/user_salt/common/onionize-repositories/onionize-repositories--debian-install-packages.sls b/user_salt/common/onionize-repositories/onionize-repositories--debian-install-packages.sls new file mode 100644 index 0000000..f16602e --- /dev/null +++ b/user_salt/common/onionize-repositories/onionize-repositories--debian-install-packages.sls @@ -0,0 +1,8 @@ +{% if grains['os'] == 'Debian' and 'whonix' not in grains['id'] %} + +onionize-repositories--debian-install-packages: + pkg.installed: + - pkgs: + - apt-transport-tor + +{% endif %} diff --git a/user_salt/common/onionize-repositories/onionize-repositories--debian-qubes-repos.sls b/user_salt/common/onionize-repositories/onionize-repositories--debian-qubes-repos.sls new file mode 100644 index 0000000..b87f2d8 --- /dev/null +++ b/user_salt/common/onionize-repositories/onionize-repositories--debian-qubes-repos.sls @@ -0,0 +1,13 @@ +{% if grains['os'] == 'Debian' and 'whonix' not in grains['id'] %} + +onionize-repositories--debian-qubes-repo: + file.managed: + - name: /etc/apt/sources.list.d/qubes-r4.list + - source: salt://common/onionize-repositories/files/qubes-r4.list + - user: root + - group: root + - mode: 600 + - require: + - pkg: onionize-repositories--debian-install-packages + +{% endif %} diff --git a/user_salt/common/onionize-repositories/onionize-repositories--debian-repos.sls b/user_salt/common/onionize-repositories/onionize-repositories--debian-repos.sls new file mode 100644 index 0000000..f5ba0de --- /dev/null +++ b/user_salt/common/onionize-repositories/onionize-repositories--debian-repos.sls @@ -0,0 +1,13 @@ +{% if grains['os'] == 'Debian' and 'whonix' not in grains['id'] %} + +onionize-repositories--debian-repos: + file.managed: + - name: /etc/apt/sources.list + - source: salt://common/onionize-repositories/files/sources.list + - user: root + - group: root + - mode: 600 + - require: + - pkg: onionize-repositories--debian-install-packages + +{% endif %} diff --git a/user_salt/common/onionize-repositories/onionize-repositories--debian.sls b/user_salt/common/onionize-repositories/onionize-repositories--debian.sls new file mode 100644 index 0000000..c3b5562 --- /dev/null +++ b/user_salt/common/onionize-repositories/onionize-repositories--debian.sls @@ -0,0 +1,4 @@ +include: + - common.onionize-repositories.onionize-repositories--debian-install-packages + - common.onionize-repositories.onionize-repositories--debian-repos + - common.onionize-repositories.onionize-repositories--debian-qubes-repos diff --git a/user_salt/common/onionize-repositories/onionize-repositories--domzero-repos.sls b/user_salt/common/onionize-repositories/onionize-repositories--domzero-repos.sls new file mode 100644 index 0000000..9ad4b1d --- /dev/null +++ b/user_salt/common/onionize-repositories/onionize-repositories--domzero-repos.sls @@ -0,0 +1,8 @@ +{% if grains['id'] == 'dom0' %} + +onionize-repositories--dom0-repos: + file.managed: + - name: /etc/yum.repos.d/qubes-dom0.repo + - source: salt://common/onionize-repositories/files/qubes-dom0.repo + +{% endif %} diff --git a/user_salt/common/onionize-repositories/onionize-repositories--domzero-template-repos.sls b/user_salt/common/onionize-repositories/onionize-repositories--domzero-template-repos.sls new file mode 100644 index 0000000..09c0244 --- /dev/null +++ b/user_salt/common/onionize-repositories/onionize-repositories--domzero-template-repos.sls @@ -0,0 +1,8 @@ +{% if grains['id'] == 'dom0' %} + +onionize-repositories--domzero-template-repos: + file.managed: + - name: /etc/qubes/repo-templates/qubes-templates.repo + - source: salt://common/onionize-repositories/files/qubes-templates.repo + +{% endif %} diff --git a/user_salt/common/onionize-repositories/onionize-repositories--domzero.sls b/user_salt/common/onionize-repositories/onionize-repositories--domzero.sls new file mode 100644 index 0000000..aa38df0 --- /dev/null +++ b/user_salt/common/onionize-repositories/onionize-repositories--domzero.sls @@ -0,0 +1,3 @@ +include: + - common.onionize-repositories.onionize-repositories--domzero-repos + - common.onionize-repositories.onionize-repositories--domzero-template-repos diff --git a/user_salt/common/onionize-repositories/onionize-repositories--fedora-qubes-repos.sls b/user_salt/common/onionize-repositories/onionize-repositories--fedora-qubes-repos.sls new file mode 100644 index 0000000..8b41292 --- /dev/null +++ b/user_salt/common/onionize-repositories/onionize-repositories--fedora-qubes-repos.sls @@ -0,0 +1,11 @@ +{% if grains['id'] != 'dom0' and grains['os'] == 'Fedora' %} + +onionize-repositories--fedora-qubes-repos: + file.managed: + - name: /etc/yum.repos.d/qubes-r4.repo + - source: salt://common/onionize-repositories/files/fedora-qubes-r4.repo + - user: root + - group: root + - mode: 600 + +{% endif %} diff --git a/user_salt/common/onionize-repositories/onionize-repositories--fedora.sls b/user_salt/common/onionize-repositories/onionize-repositories--fedora.sls new file mode 100644 index 0000000..9aed9ac --- /dev/null +++ b/user_salt/common/onionize-repositories/onionize-repositories--fedora.sls @@ -0,0 +1,2 @@ +include: + - common.onionize-repositories.onionize-repositories--fedora-qubes-repos diff --git a/user_salt/common/onionize-repositories/onionize-repositories--whonix-debian-qubes-repos.sls b/user_salt/common/onionize-repositories/onionize-repositories--whonix-debian-qubes-repos.sls new file mode 100644 index 0000000..acec222 --- /dev/null +++ b/user_salt/common/onionize-repositories/onionize-repositories--whonix-debian-qubes-repos.sls @@ -0,0 +1,11 @@ +{% if 'whonix' in grains['id'] %} + +onionize-repositories--whonix-debian-qubes-repo: + file.managed: + - name: /etc/apt/sources.list.d/qubes-r4.list + - source: salt://common/onionize-repositories/files/qubes-r4.list + - user: root + - group: root + - mode: 600 + +{% endif %} diff --git a/user_salt/common/onionize-repositories/onionize-repositories--whonix-derivate.sls b/user_salt/common/onionize-repositories/onionize-repositories--whonix-derivate.sls new file mode 100644 index 0000000..57ff039 --- /dev/null +++ b/user_salt/common/onionize-repositories/onionize-repositories--whonix-derivate.sls @@ -0,0 +1,7 @@ +{% if 'whonix' in grains['id'] %} + +onionize-repositories--whonix-derivative: + cmd.run: + - name: repository-dist --enable --transport onion + +{% endif %} diff --git a/user_salt/common/onionize-repositories/onionize-repositories--whonix-repos.sls b/user_salt/common/onionize-repositories/onionize-repositories--whonix-repos.sls new file mode 100644 index 0000000..4d78af9 --- /dev/null +++ b/user_salt/common/onionize-repositories/onionize-repositories--whonix-repos.sls @@ -0,0 +1,11 @@ +{% if 'whonix' in grains['id'] %} + +onionize-repositories--whonix-repos: + file.managed: + - name: /etc/apt/sources.list.d/debian.list + - source: salt://common/onionize-repositories/files/debian-sources.list + - user: root + - group: root + - mode: 600 + +{% endif %} diff --git a/user_salt/common/onionize-repositories/onionize-repositories--whonix.sls b/user_salt/common/onionize-repositories/onionize-repositories--whonix.sls new file mode 100644 index 0000000..4a033d6 --- /dev/null +++ b/user_salt/common/onionize-repositories/onionize-repositories--whonix.sls @@ -0,0 +1,5 @@ +include: + - common.onionize-repositories.onionize-repositories--whonix-debian-qubes-repos + - common.onionize-repositories.onionize-repositories--whonix-derivate + - common.onionize-repositories.onionize-repositories--whonix-repos + diff --git a/user_salt/common/remove-unwanted/remove-unwanted--debian-packages.sls b/user_salt/common/remove-unwanted/remove-unwanted--debian-packages.sls new file mode 100644 index 0000000..9877aae --- /dev/null +++ b/user_salt/common/remove-unwanted/remove-unwanted--debian-packages.sls @@ -0,0 +1,22 @@ +{% if grains['os'] == 'Debian' %} + +remove-unwanted--debian-packages: + pkg.removed: + - names: + - less + - nano + - tasksel + - less + - vim-common + - nftables + - fdisk + - eatmydata + - aptitude + +remove-unwanted--apt-cleanup: + cmd.run: + - name: "apt-get autoremove -y && apt-get clean && apt-get autopurge" + - onchanges: + - pkg: remove-unwanted--debian-packages + +{% endif %} diff --git a/user_salt/common/remove-unwanted/remove-unwanted--debian-systemd-services.sls b/user_salt/common/remove-unwanted/remove-unwanted--debian-systemd-services.sls new file mode 100644 index 0000000..8078418 --- /dev/null +++ b/user_salt/common/remove-unwanted/remove-unwanted--debian-systemd-services.sls @@ -0,0 +1,15 @@ +{% if grains['id'] != 'dom0' %} + +remove-unwanted--systemd-service-networkd: + service.masked: + - name: systemd-networkd.service + +remove-unwanted--systemd-service-networkd-socket: + service.masked: + - name: systemd-networkd.socket + +remove-unwanted--systemd-service-networkd-online: + service.masked: + - name: systemd-networkd-wait-online.service + +{% endif %} diff --git a/user_salt/common/remove-unwanted/remove-unwanted--domzero-packages.sls b/user_salt/common/remove-unwanted/remove-unwanted--domzero-packages.sls new file mode 100644 index 0000000..3229e62 --- /dev/null +++ b/user_salt/common/remove-unwanted/remove-unwanted--domzero-packages.sls @@ -0,0 +1,11 @@ +{% if grains['id'] == 'dom0' %} + +remove-unwanted--domzero-packages: + pkg.removed: + - pkgs: + - nano + - pipewire + - pavucontrol + - alsa-utils + +{% endif %} diff --git a/user_salt/common/xterm/files/Xresources b/user_salt/common/xterm/files/Xresources new file mode 100644 index 0000000..6bf22c8 --- /dev/null +++ b/user_salt/common/xterm/files/Xresources @@ -0,0 +1,7 @@ +xterm*scrollBar: false +xterm*background: black +xterm*foreground: white +xterm*selectToClipboard: true + +! if you do a double click on a ling, xterm now automatically selects the whole link +xterm*charClass: 33:48,35-39:48,42-47:48,58-59:48,61:48,63:48,64:48,91-93:48,95:48,126:48 diff --git a/user_salt/common/xterm/init.sls b/user_salt/common/xterm/init.sls new file mode 100644 index 0000000..270c2f1 --- /dev/null +++ b/user_salt/common/xterm/init.sls @@ -0,0 +1,10 @@ +/home/user/.Xresources: + file.managed: + - source: salt://common/xterm/files/Xresources + - mode: 0644 + - user: user + - group: user + +"xrdb -merge /home/user/.Xresources": + cmd.run: + - user: user diff --git a/user_salt/common/xterm/xterm--configure.sls b/user_salt/common/xterm/xterm--configure.sls new file mode 100644 index 0000000..f15d94f --- /dev/null +++ b/user_salt/common/xterm/xterm--configure.sls @@ -0,0 +1,18 @@ +xterm--configure-xresources: + file.managed: + - name: /home/user/.Xresources + - source: salt://xterm/files/Xresources + - user: user + - group: user + - mode: 644 + +{% set users = salt['cmd.run']('getent passwd | grep /home | cut -d: -f1').splitlines() %} + +{% for user in users %} + +xterm--confgiure-xresources-merge: + cmd.run: + - name: xrdb -merge /home/{{ user }}/.Xresources + - user: {{ user }} + +{% endfor %} diff --git a/user_salt/default-dvm/default-dvm--create-template.sls b/user_salt/default-dvm/default-dvm--create-template.sls new file mode 100644 index 0000000..ab87cc0 --- /dev/null +++ b/user_salt/default-dvm/default-dvm--create-template.sls @@ -0,0 +1,26 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-debian-minimal + +{% if grains['id'] == 'dom0' %} + +default-dvm--create-template: + qvm.clone: + - name: template-default-dvm + - source: debian-{{ version.debian }}-minimal + - class: TemplateVM + - require: + - qvm: templates--install-debian-{{ version.debian }}-minimal + +default-dvm--template-prefs: + qvm.prefs: + - name: template-default-dvm + - label: purple + - audiovm: + - guivm: dom0 + - netvm: + - require: + - qvm: default-dvm--create-template + +{% endif %} diff --git a/user_salt/default-dvm/default-dvm--qube-prefs.sls b/user_salt/default-dvm/default-dvm--qube-prefs.sls new file mode 100644 index 0000000..d70d6f5 --- /dev/null +++ b/user_salt/default-dvm/default-dvm--qube-prefs.sls @@ -0,0 +1,13 @@ +{% if grains['id'] == 'dom0' %} + +default-dvm--app-qube-prefs: + qvm.prefs: + - name: default-dvm + - label: red + - audiovm: + - guivm: dom0 + - netvm: + - require: + - qvm: default-dvm--create-template + +{% endif %} diff --git a/user_salt/default-dvm/init.sls b/user_salt/default-dvm/init.sls new file mode 100644 index 0000000..532f866 --- /dev/null +++ b/user_salt/default-dvm/init.sls @@ -0,0 +1,3 @@ +include: + - default-dvm.default-dvm--create-template + - default-dvm.default-dvm--qube-prefs diff --git a/user_salt/default-mgmt-dvm/default-mgmt-dvm--create-app-qube.sls b/user_salt/default-mgmt-dvm/default-mgmt-dvm--create-app-qube.sls new file mode 100644 index 0000000..6d1e2ba --- /dev/null +++ b/user_salt/default-mgmt-dvm/default-mgmt-dvm--create-app-qube.sls @@ -0,0 +1,18 @@ +{% if grains['id'] == 'dom0' %} + +default-mgmt-dvm--create-app-qube: + qvm.vm: + - name: default-mgmt-dvm + - present: + - template: template-default-mgmt-dvm + - label: red + - prefs: + - label: red + - audiovm: + - guivm: + - netvm: + - template_for_dispvms: True + - require: + - qvm: default-mgmt-dvm--create-template + +{% endif %} diff --git a/user_salt/default-mgmt-dvm/default-mgmt-dvm--create-template.sls b/user_salt/default-mgmt-dvm/default-mgmt-dvm--create-template.sls new file mode 100644 index 0000000..0a1c966 --- /dev/null +++ b/user_salt/default-mgmt-dvm/default-mgmt-dvm--create-template.sls @@ -0,0 +1,27 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-debian-minimal + +{% if grains['id'] == 'dom0' %} + +default-mgmt-dvm--create-template: + qvm.clone: + - name: template-default-mgmt-dvm + - source: debian-{{ version.debian }}-minimal + - class: TemplateVM + - require: + - qvm: templates--install-debian-{{ version.debian }}-minimal + +default-mgmt-dvm--create-template-prefs: + qvm.prefs: + - name: template-default-mgmt-dvm + - label: red + - audiovm: + - guivm: + - netvm: + - require: + - qvm: default-mgmt-dvm--create-template + + +{% endif %} diff --git a/user_salt/default-mgmt-dvm/default-mgmt-dvm--install-packages.sls b/user_salt/default-mgmt-dvm/default-mgmt-dvm--install-packages.sls new file mode 100644 index 0000000..69bd980 --- /dev/null +++ b/user_salt/default-mgmt-dvm/default-mgmt-dvm--install-packages.sls @@ -0,0 +1,10 @@ +{% if grains['id'] == 'template-default-mgmt-dvm' %} + +default-mgmt-dvm--install-packages: + pkg.installed: + - refresh: True + - pkgs: + - qubes-core-agent-passwordless-root + - qubes-mgmt-salt-vm-connector + +{% endif %} diff --git a/user_salt/default-mgmt-dvm/init.sls b/user_salt/default-mgmt-dvm/init.sls new file mode 100644 index 0000000..276c917 --- /dev/null +++ b/user_salt/default-mgmt-dvm/init.sls @@ -0,0 +1,3 @@ +include: + - default-mgmt-dvm.default-mgmt-dvm--create-template + - default-mgmt-dvm.default-mgmt-dvm--install-packages diff --git a/user_salt/dev/dev--create-app-qube.sls b/user_salt/dev/dev--create-app-qube.sls new file mode 100644 index 0000000..472a7e8 --- /dev/null +++ b/user_salt/dev/dev--create-app-qube.sls @@ -0,0 +1,21 @@ +{% if grains['id'] == 'dom0' %} + +dev--create-app-qube: + qvm.vm: + - name: q-dev + - present: + - template: template-dev + - label: orange + - prefs: + - label: orange + - netvm: sys-vpn-mullvad + - features: + - set: + - menu-items: xterm.desktop + - service: + - enable: + - shutdown-idle + - require: + - qvm: dev--create-template + +{% endif %} diff --git a/user_salt/dev/dev--create-template.sls b/user_salt/dev/dev--create-template.sls new file mode 100644 index 0000000..3aa2a5c --- /dev/null +++ b/user_salt/dev/dev--create-template.sls @@ -0,0 +1,26 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-fedora-minimal + +{% if grains['id'] == 'dom0' %} + +dev--create-template: + qvm.clone: + - name: template-dev + - source: fedora-{{ version.fedora }}-minimal + - class: TemplateVM + - require: + - qvm: templates--install-fedora-{{ version.fedora }}-minimal + +dev--template-prefs: + qvm.prefs: + - name: template-dev + - label: orange + - audiovm: + - guivm: + - netvm: + - require: + - qvm: dev--create-template + +{% endif %} diff --git a/user_salt/dev/dev--install-packages.sls b/user_salt/dev/dev--install-packages.sls new file mode 100644 index 0000000..9c7d95e --- /dev/null +++ b/user_salt/dev/dev--install-packages.sls @@ -0,0 +1,14 @@ +{% if grains['id'] == 'template-dev' %} + +dev--install-packages: + pkg.installed: + - refresh: True + - pkgs: + - qubes-core-agent-networking + - qubes-app-shutdown-idle + - neovim + - tmux + - git + - python3-virtualenvwrapper + +{% endif %} diff --git a/user_salt/dev/init.sls b/user_salt/dev/init.sls new file mode 100644 index 0000000..d879e97 --- /dev/null +++ b/user_salt/dev/init.sls @@ -0,0 +1,4 @@ +include: + - dev.dev--create-template + - dev.dev--install-packages + - dev.dev--create-app-qube diff --git a/user_salt/mullvad-browser/files/mullvad-keyring.asc b/user_salt/mullvad-browser/files/mullvad-keyring.asc new file mode 100644 index 0000000..63052fe --- /dev/null +++ b/user_salt/mullvad-browser/files/mullvad-keyring.asc @@ -0,0 +1,84 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFgRmCoBEAChee2rs/braqjqim1D+uvTBpPZzkpccJVb2SqhErQKs54iJVyo +H5pNrGR4VIzFRUnY7fbATo2Ej+0MlglXahl4ok93XmeDz04P5rH2NKnLvWYdaK1C +9Lvpq22t1nytJuhc124UBahVVEYjc7l2+JGdTh7WvLj8FXqfnnmI1upVU48S70RL +oM3tSDZqQaO3OGCc0znMNBGI/uKNNwc6Omm6KPvczOhci7bnKt0b0R6TrXufvgOG +y1DM9sntIbXtpIjOuZdTWyrGTm/AvT6zddPFjN8SN6ZIfoRmJT6ROB6ZTtiz/d20 +VJ87QPEfVRKrMImZxtkJtSliojZB/I3/bkP7A4pvgJ6cJ+ErwW4cfqc3DrWaZY+D +4AZnk71FA6C5rQdkFbfkgyUMY1WeKX+8N/R+e5oLGmoVI/fdHu1z0JkJJvEraAO9 ++qX2mOcW5h/NRxv0Xw57fjMhnMha7bWs8Jn5AchDPJZs1U64Wr36FuSvcdxc0ON/ +WaX4RL/J5OtJHu+2FB+UB1/JuICdOP07/KFxUJod43KwwBctLUHOOz3m1KIVcnXR +l6+gNQ7vxGm+xghN/zG7lgPLuw5ToCCkMLkQydsRPRSlm0f2zqbQUD3jn+4zZ2ma +HBHcu6Ld8SSGPp5XIauAKhqZA9IkD5VPgqlrm0iJ4emzPYGp7PMFFdH3qQARAQAB +tCpNdWxsdmFkIChjb2RlIHNpZ25pbmcpIDxhZG1pbkBtdWxsdmFkLm5ldD6JAjUE +EwEIAB8CGwMCHgECF4AFAlgR6R8ECwkIBwUVCgkICwQWAgMBAAoJENWh1PJm3o3f +muQQAJElHN6lLhpOgrbRprJAR15HfRI0Leoomfu5V53Qieqf+6O3TF4PC9JRn+v8 +NYOMsBmBgosvO8YcABA3wYTW6qyRGr+8zQePltEe/J9SE3oCbb4K5KWEThiicZ6R +o0sJgXB3l0CIHVP+/3bWeZlBpTJNMLOEM+WsEsTe6v7hZfF7HIubVdKSIbQy7T3X +nsk8840rt5LjJiNtSpsG+EJOIGEdXH5FAis35pTLrbkgnL3Evyjd2OW1grciqF+v +7aba2g/2zpEGEdtbJKO5C4nG9CHcN5BlaSev0oQlKWuRSG3igwauZFe/0RQPkH/V +kCOHA3l8NTlublQCdLLLrJJyX7aODH+AKLaVci17ogtGwwO+xNh0h4ejM0QuMLYV +giMCpxRT5uUuOHbh3by1rwTSb+8dvIw3KyW1TbZ6LFCQHX+8Zs7xU7KQ6tGZ6Pvr +Fhk/YiM8J+Fe+rBGwEcUfo/ALv4p7qHpRVA7CvdrzKg66iaN+iPQzsptamoSLsCj +SYbjIby74X0vppRAg7sDXiAxJSRPXM3h1xO83yk1HMrswwWAUuJeToYRXOHYl5zN +i3E0D6I5Zk1ioO9XPE7oILwJ7YaO4XuC3UuNMwWPSvOoJxbnsUdHpenITvbpe9DP +z4HGzZWbUtShFDq77MDhv9vkNaFUOgP7AfO5N/35pVCkI4m1uQINBFgRmCoBEADT +5YK+TLcGSzC4ML7t8VW+rVpYyY3pswX8dL058LYfCIrlaNa14/UvINvjA5529SWr +jmmDluD8fqtMSFHw6l+XwPMOwvETAjaMLS6c/MLFmw2gHR2ARHBmLEn/ux9kZ03Y +dEKak5wvkUVqLV7EgGnvfrI0FUw/gaIfdtAt0dcvpAG0bILXQtcYEj7BtiAdxiWL +O8HMUzD7kj0Q2IUbA3bO4dAtJtXDyY+Ash/kqLzm+0kZtzk4FLWZT2CMw9l73mIT +/f03+y8oBe1KhZ5FzqgUxQXdjV5hkWyFNbBn4+dsyoMltnVDPkRznIHDWJXiKUV+ +buSQ+xewO/flwrwcgbdTtH5qfuxtNBA2AkVs/dul8FJHeSCB7at6Vy1m8/xFlxgc +QOk/wwiDKLBub0uIE6TfNs7SvAOUuZP5syLQq8ZeyYMWGrWQKgAEmHlXr0uCrqVF +O5vjaja8Zwc6wdApiFxjiBzl3z7UiE3fafpeO9nqLwaZqz0RPCEpvCrkpDi4Gl2W +nfWmQbj2jEpUER1osJhvNRCEfA12IUWjp1vFJhy31i6gTXdCxVBasQrxpJBEZnuJ +57yIZ+FbdMI0wQD2OMdUYxx4o9p6aGwhotSBrgpM0cfZ5LruP6MjBfWKqLnZBuYk +prqWeh5rgtXIebsiGYp7V3Ay9pcoilbzh53/wU6y+wARAQABiQIfBBgBCAAJBQJY +EZgqAhsMAAoJENWh1PJm3o3fbfoP/RfOil8d3hNK+qgG4Xh46bF/UmGzorYbVzzP +myXXRHTMh3/Br2tPOOnhP65nKJnv8pqCuK1UOJpfXUXDyRpAP7opiWRaS0gbU9s6 +RBy499P/LyMmvZbM4YkpxwPJkC6JaITQ+ZtnPQp+MYLizsz5OD8utyfoPWDOdaEf +3JHOvupcItDL3DDKw5zPzrI6pKc0IMObO5VI/uU3BIf0x+FKh2rhMVMI+Psapotm +qhpaPZoz/QPapS2WiMNr7cInLxx7/fv/RLEr5WSVn1eAKkKuXUO/VB5+h4GdP/YV +boBW4wMneEEkJX3iLr/IM1GQdQK/db4fyWAKh7LhzS9ZCVMxm5BU6GkId7GI2jFE +djmedt6iF6Tyk0/49WjU/qAZ9H0IHgpyNCwUqPpzWgRiiIbZryRXycht/rH6zuL1 +8p5N6r7AgT6s6kCHfrNK/zxMOzylUuwng1EnLCmlg88PoCCQpaNFZkqwIR0LCh3p +Xp8zAp+0Sx2td1FtjbEw+OaNCmmJoMqoejuw0nSOFdQUUNAB5WGeZQLoPaastanW +ir6XcUChoy/1osuovAPNKpWWUxWDdW+62mV8s2ArkLzhgl0FmLZhu+VBKrQaNUKV +WmPnMRZF6f1C3M8l5DtT1VzfEr1A9ON6uZzKITLlJdBltVFkV7qJTsxbsoj0AJj7 +0VY4XEjauQINBFgR4mgBEACsFJ+BkT+yBxB0E2MNUAcW5stDgscDOJOAXS/ViYd8 +68FqC87VnG+bgTqG2atRqb493RoCHwZyL3L9JniadSk35d9JEQBWzCPff+kEy5Uc +bwzvSUJyCfjFdxU4YgH/bMt+RXi1mVjLcGTthRp4IfBxQcluI//rxP1kurrqq+lO +wj7n+h1wxrdhvXXDiAeBJqlQcBjeT0VLc74PYQJ3SbpeX1aFaxsVATGpgXf3SWp+ +8vRCmzM9CnyZW8BeaXBrkwiZQEOeiqnQ0MWaD/8Fs6WWfiyoObJcadmS7HgqCfw7 +SwjSUjSPAr+Vr02P83S59u8ql0RWtDI8CCXcSc1t4u52lvXBdO3nKa9+PeW64I+A +UfqgJOmfhWZsoImV1pCx+RzY6luFp7H7JVACAi3Z1s24fsRhN5wVZ/hjKn7xGPv0 +O+zFVGWXs/JKl6Bv7xMR0epL+D0d13ahPZYHyLqLfdeJwg2HT1BUAPy+QCy5rhzS +iEjeygqVzwNTcBPnu1PFhzXSdGMvHKTFXwO5xPwqanvKUd9zH6Xxan5wAJL7yRPq +7/MSEqUFiE+OfVTeZ3PDduLrkrQm0ZIgTl4EkUNn70YbzrPnEDh7EMETNnAqjNU3 +5iwELxRyxjUdSaIuF/5gSfc4DG/c8miUrYAaXyqMuJWuF7aNnVnSQJDZCjnf//Yy +KQARAQABiQQ+BBgBCAAJBQJYEeJoAhsCAikJENWh1PJm3o3fwV0gBBkBCAAGBQJY +EeJoAAoJEKJlgfIZyDFMyBwP/ih4/pKyfQOdgP03IXK0v9dhKOs+PcSAd4BC+ACV +kDz+N4Pui7/6FJ7+hSJE7Tf2vcWYYbtTrVCz335VCf5zWC/Tz8aXs9MOBlMeZNOS +2Fsi8P1KOv2BD7qi+m6fkHJ59hDXp2SzvmYRNRgn3N1QpuJl6bjssLmG7X+8NrNA +JZedzfXmvxDfnxaqKTwGotlJXVo5b/wB1ZXn7yr3zecuXKvcG1SJTGCSyK98jyip +S/0qAOqzd6FPbNEl/4ehKPX5STdZytTzN8lcbtfTMUA6qLqe/5Tvt50n8yDD3bEh +ripRSaC2BoVDADwxo7kDhTO6c1xCNMdG/9dHMelbzOPuxJhVMkNzL+dR5V6Q3Clt +I2rjANqWq/3G7kA4oaItoYOYnh9J8a7P/bkMFbrGEYmaYu9PCqLY5NzqaCKlNyJP +Fy8u0TdBhiyoBWWarTN6fZwTG6MotHPi9q0iWPfsb9kyoRJWIcvEJq+Vi0wE0+9/ +kXgibqh76U5JekysGV/dBgXaPF4XAPCpBaEe9sbD2PVeUDZPuVeo3c8iGPK1NxmJ +dt1ktfCcuV3MYCo1DGifuOCCvVaJms6IEFjLPAEQmTGhRSVzTWZ7J8HoDqulhlJh +HxLT7KI9z85238zplUarSEZ42gNT5SQd35prGVlJDVBwRm2NmJurcfU/EcPi++eD +0hJhWrYP/3lW/OOkR5NZCK8HhKYM2kBcAsOC/6x5vV1VISslZY2LB3jKq+XhXlPO +cEmQVMPliBx4yuFrPOKk1+87D9bEL5LJBQskgQwFe2Pg9QirIYflO+P+1LJK3U/g +3NnlkSrOTRV0M/AvhtU/8R3V2V423pm3sjQsaRdMMtWGfsFNJxvotBkwgEDwDu7h +sZqzL0zFucm+iMAhGnqi+EZEPXwbX1Utp7S8edBCztfytQMjnJ6jv4UCz///rc3i +8IDlMo2d19CW/psPS4v7lns5g9oqCGpRbGRllrBV1M/o7bs7+1NyvPTJm9UAmt5U +iApao4vt4YOG5w0vYd0t50pDS/j3TGjbakgxZpNUMpAgrhnelClKDsXbCVGCyhlJ +ZOw9Q9t4vIAhFFSpxEDl1NREOUInoK3R4yo4Ep4sq6cbfZvoyAYZf1zpQHQX9OBN +DKp1jwGLA3+0Jna2/1QUYFLjFiz9bdL+1nT9k/RStFBauRh529r+M1WlkwqNIL+L +bRGm0rXbWu9eiLhq2ldnfIADOtccUll10RznrjumqgYYw2CI0YUudzpzIghAKZyo +THYPADmBfvN2pZa/KU3c1OSKHOH2b91Xi97k3u0fECMHLgXctA3BkQ69fONSzx/c +abgtcydAU0wAD3mG3mr1XI96uOMeVNK0wgYyO5VhzZNziSFhls0D +=kwTD +-----END PGP PUBLIC KEY BLOCK----- diff --git a/user_salt/mullvad-browser/files/mullvad.list b/user_salt/mullvad-browser/files/mullvad.list new file mode 100644 index 0000000..2c63be1 --- /dev/null +++ b/user_salt/mullvad-browser/files/mullvad.list @@ -0,0 +1 @@ +deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=amd64] https://repository.mullvad.net/deb/stable bookworm main diff --git a/user_salt/mullvad-browser/init.sls b/user_salt/mullvad-browser/init.sls new file mode 100644 index 0000000..1907348 --- /dev/null +++ b/user_salt/mullvad-browser/init.sls @@ -0,0 +1,5 @@ +include: + - mullvad-browser.mullvad-browser--create-template + - mullvad-browser.mullvad-browser--configure-repos + - mullvad-browser.mullvad-browser--install-packages + - mullvad-browser.mullvad-browser--create-app-qube diff --git a/user_salt/mullvad-browser/mullvad-browser--configure-repos.sls b/user_salt/mullvad-browser/mullvad-browser--configure-repos.sls new file mode 100644 index 0000000..cf4c83f --- /dev/null +++ b/user_salt/mullvad-browser/mullvad-browser--configure-repos.sls @@ -0,0 +1,11 @@ +{% if grains['id'] == 'template-mullvad-browser' %} + +mullvad-browser--configure-repos: + file.managed: + - names: + - /usr/share/keyrings/mullvad-keyring.asc: + - source: salt://mullvad-browser/files/mullvad-keyring.asc + - /etc/apt/sources.list.d/mullvad.list: + - source: salt://mullvad-browser/files/mullvad.list + +{% endif %} diff --git a/user_salt/mullvad-browser/mullvad-browser--create-app-qube.sls b/user_salt/mullvad-browser/mullvad-browser--create-app-qube.sls new file mode 100644 index 0000000..3dc08c3 --- /dev/null +++ b/user_salt/mullvad-browser/mullvad-browser--create-app-qube.sls @@ -0,0 +1,21 @@ +{% if grains['id'] == 'dom0' %} + +mullvad-browser--create-app-qube: + qvm.vm: + - name: q-mullvad-browser + - present: + - template: template-mullvad-browser + - label: red + - prefs: + - label: red + - audiovm: sys-audio + - guivm: dom0 + - netvm: sys-vpn-mullvad + - template_for_dispvms: True + - features: + - set: + - menu-items: mullvad-browser.desktop debian-xterm.desktop + - require: + - qvm: mullvad-browser--create-template + +{% endif %} diff --git a/user_salt/mullvad-browser/mullvad-browser--create-template.sls b/user_salt/mullvad-browser/mullvad-browser--create-template.sls new file mode 100644 index 0000000..2bd7f4b --- /dev/null +++ b/user_salt/mullvad-browser/mullvad-browser--create-template.sls @@ -0,0 +1,26 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-debian-minimal + +{% if grains['id'] == 'dom0' %} + +mullvad-browser--create-template: + qvm.clone: + - name: template-mullvad-browser + - source: debian-{{ version.debian }}-minimal + - class: TemplateVM + - require: + - qvm: templates--install-debian-{{ version.debian }}-minimal + +mullvad-browser--template-prefs: + qvm.prefs: + - name: template-mullvad-browser + - label: red + - audiovm: + - guivm: + - netvm: + - require: + - qvm: mullvad-browser--create-template + +{% endif %} diff --git a/user_salt/mullvad-browser/mullvad-browser--install-packages.sls b/user_salt/mullvad-browser/mullvad-browser--install-packages.sls new file mode 100644 index 0000000..21b5966 --- /dev/null +++ b/user_salt/mullvad-browser/mullvad-browser--install-packages.sls @@ -0,0 +1,13 @@ +{% if grains['id'] == 'template-mullvad-browser' %} + +mullvad-browser--install-packages: + pkg.installed: + - refresh: True + - pkgs: + - qubes-core-agent-networking + - mullvad-browser + - pulseaudio-qubes + - require: + - file: mullvad-browser--configure-repos + +{% endif %} diff --git a/user_salt/mullvad-vpn/files/mullvad-dns.sh b/user_salt/mullvad-vpn/files/mullvad-dns.sh new file mode 100644 index 0000000..2605760 --- /dev/null +++ b/user_salt/mullvad-vpn/files/mullvad-dns.sh @@ -0,0 +1,44 @@ +#! /usr/bin/env bash + +update_dns() { + # mullvad_on: 0 -> off, 1 -> on + mullvad_on=$([[ $(grep -v -c "nameserver \+10.139" /etc/resolv.conf) -gt 0 ]] && echo 1 || echo 0) + + if [[ $mullvad_on -eq 1 ]]; then + + echo "Mullvad is on" + + # get the mullvad dns ip address. First one is used if there is more than one. + mullvad_dns_ip=$(grep "nameserver" < /etc/resolv.conf| awk '{print $2}' | head -n 1) + + # delete all the lines defined in dnat-dns + sudo nft flush chain ip qubes dnat-dns + + # forward all dns requests to mullvad dns servers + sudo nft add rule ip qubes dnat-dns meta l4proto { tcp, udp } ip daddr { 10.139.1.1, 10.139.1.2 } th dport 53 dnat to "$mullvad_dns_ip" + + else + + echo "Mullvad is off" + + # get qubes nameserver ip addresses + nameserver_ips=$(grep "nameserver" < /etc/resolv.conf| awk '{print $2}') + + # delete all the lines defined in dnat-dns + sudo nft flush chain ip qubes dnat-dns + + # add rule to forward dns requests to qubes nameservers + for ip in $nameserver_ips; do + sudo nft add rule ip qubes dnat-dns ip daddr "$ip" udp dport 53 dnat to "$ip" + sudo nft add rule ip qubes dnat-dns ip daddr "$ip" tcp dport 53 dnat to "$ip" + done + + fi +} + +update_dns +# check for /etc/resolv.conf content change +inotifywait -m -q -e close_write /etc/resolv.conf | while read -r; +do + update_dns +done diff --git a/user_salt/mullvad-vpn/files/mullvad-keyring.asc b/user_salt/mullvad-vpn/files/mullvad-keyring.asc new file mode 100644 index 0000000..63052fe --- /dev/null +++ b/user_salt/mullvad-vpn/files/mullvad-keyring.asc @@ -0,0 +1,84 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFgRmCoBEAChee2rs/braqjqim1D+uvTBpPZzkpccJVb2SqhErQKs54iJVyo +H5pNrGR4VIzFRUnY7fbATo2Ej+0MlglXahl4ok93XmeDz04P5rH2NKnLvWYdaK1C +9Lvpq22t1nytJuhc124UBahVVEYjc7l2+JGdTh7WvLj8FXqfnnmI1upVU48S70RL +oM3tSDZqQaO3OGCc0znMNBGI/uKNNwc6Omm6KPvczOhci7bnKt0b0R6TrXufvgOG +y1DM9sntIbXtpIjOuZdTWyrGTm/AvT6zddPFjN8SN6ZIfoRmJT6ROB6ZTtiz/d20 +VJ87QPEfVRKrMImZxtkJtSliojZB/I3/bkP7A4pvgJ6cJ+ErwW4cfqc3DrWaZY+D +4AZnk71FA6C5rQdkFbfkgyUMY1WeKX+8N/R+e5oLGmoVI/fdHu1z0JkJJvEraAO9 ++qX2mOcW5h/NRxv0Xw57fjMhnMha7bWs8Jn5AchDPJZs1U64Wr36FuSvcdxc0ON/ +WaX4RL/J5OtJHu+2FB+UB1/JuICdOP07/KFxUJod43KwwBctLUHOOz3m1KIVcnXR +l6+gNQ7vxGm+xghN/zG7lgPLuw5ToCCkMLkQydsRPRSlm0f2zqbQUD3jn+4zZ2ma +HBHcu6Ld8SSGPp5XIauAKhqZA9IkD5VPgqlrm0iJ4emzPYGp7PMFFdH3qQARAQAB +tCpNdWxsdmFkIChjb2RlIHNpZ25pbmcpIDxhZG1pbkBtdWxsdmFkLm5ldD6JAjUE +EwEIAB8CGwMCHgECF4AFAlgR6R8ECwkIBwUVCgkICwQWAgMBAAoJENWh1PJm3o3f +muQQAJElHN6lLhpOgrbRprJAR15HfRI0Leoomfu5V53Qieqf+6O3TF4PC9JRn+v8 +NYOMsBmBgosvO8YcABA3wYTW6qyRGr+8zQePltEe/J9SE3oCbb4K5KWEThiicZ6R +o0sJgXB3l0CIHVP+/3bWeZlBpTJNMLOEM+WsEsTe6v7hZfF7HIubVdKSIbQy7T3X +nsk8840rt5LjJiNtSpsG+EJOIGEdXH5FAis35pTLrbkgnL3Evyjd2OW1grciqF+v +7aba2g/2zpEGEdtbJKO5C4nG9CHcN5BlaSev0oQlKWuRSG3igwauZFe/0RQPkH/V +kCOHA3l8NTlublQCdLLLrJJyX7aODH+AKLaVci17ogtGwwO+xNh0h4ejM0QuMLYV +giMCpxRT5uUuOHbh3by1rwTSb+8dvIw3KyW1TbZ6LFCQHX+8Zs7xU7KQ6tGZ6Pvr +Fhk/YiM8J+Fe+rBGwEcUfo/ALv4p7qHpRVA7CvdrzKg66iaN+iPQzsptamoSLsCj +SYbjIby74X0vppRAg7sDXiAxJSRPXM3h1xO83yk1HMrswwWAUuJeToYRXOHYl5zN +i3E0D6I5Zk1ioO9XPE7oILwJ7YaO4XuC3UuNMwWPSvOoJxbnsUdHpenITvbpe9DP +z4HGzZWbUtShFDq77MDhv9vkNaFUOgP7AfO5N/35pVCkI4m1uQINBFgRmCoBEADT +5YK+TLcGSzC4ML7t8VW+rVpYyY3pswX8dL058LYfCIrlaNa14/UvINvjA5529SWr +jmmDluD8fqtMSFHw6l+XwPMOwvETAjaMLS6c/MLFmw2gHR2ARHBmLEn/ux9kZ03Y +dEKak5wvkUVqLV7EgGnvfrI0FUw/gaIfdtAt0dcvpAG0bILXQtcYEj7BtiAdxiWL +O8HMUzD7kj0Q2IUbA3bO4dAtJtXDyY+Ash/kqLzm+0kZtzk4FLWZT2CMw9l73mIT +/f03+y8oBe1KhZ5FzqgUxQXdjV5hkWyFNbBn4+dsyoMltnVDPkRznIHDWJXiKUV+ +buSQ+xewO/flwrwcgbdTtH5qfuxtNBA2AkVs/dul8FJHeSCB7at6Vy1m8/xFlxgc +QOk/wwiDKLBub0uIE6TfNs7SvAOUuZP5syLQq8ZeyYMWGrWQKgAEmHlXr0uCrqVF +O5vjaja8Zwc6wdApiFxjiBzl3z7UiE3fafpeO9nqLwaZqz0RPCEpvCrkpDi4Gl2W +nfWmQbj2jEpUER1osJhvNRCEfA12IUWjp1vFJhy31i6gTXdCxVBasQrxpJBEZnuJ +57yIZ+FbdMI0wQD2OMdUYxx4o9p6aGwhotSBrgpM0cfZ5LruP6MjBfWKqLnZBuYk +prqWeh5rgtXIebsiGYp7V3Ay9pcoilbzh53/wU6y+wARAQABiQIfBBgBCAAJBQJY +EZgqAhsMAAoJENWh1PJm3o3fbfoP/RfOil8d3hNK+qgG4Xh46bF/UmGzorYbVzzP +myXXRHTMh3/Br2tPOOnhP65nKJnv8pqCuK1UOJpfXUXDyRpAP7opiWRaS0gbU9s6 +RBy499P/LyMmvZbM4YkpxwPJkC6JaITQ+ZtnPQp+MYLizsz5OD8utyfoPWDOdaEf +3JHOvupcItDL3DDKw5zPzrI6pKc0IMObO5VI/uU3BIf0x+FKh2rhMVMI+Psapotm +qhpaPZoz/QPapS2WiMNr7cInLxx7/fv/RLEr5WSVn1eAKkKuXUO/VB5+h4GdP/YV +boBW4wMneEEkJX3iLr/IM1GQdQK/db4fyWAKh7LhzS9ZCVMxm5BU6GkId7GI2jFE +djmedt6iF6Tyk0/49WjU/qAZ9H0IHgpyNCwUqPpzWgRiiIbZryRXycht/rH6zuL1 +8p5N6r7AgT6s6kCHfrNK/zxMOzylUuwng1EnLCmlg88PoCCQpaNFZkqwIR0LCh3p +Xp8zAp+0Sx2td1FtjbEw+OaNCmmJoMqoejuw0nSOFdQUUNAB5WGeZQLoPaastanW +ir6XcUChoy/1osuovAPNKpWWUxWDdW+62mV8s2ArkLzhgl0FmLZhu+VBKrQaNUKV +WmPnMRZF6f1C3M8l5DtT1VzfEr1A9ON6uZzKITLlJdBltVFkV7qJTsxbsoj0AJj7 +0VY4XEjauQINBFgR4mgBEACsFJ+BkT+yBxB0E2MNUAcW5stDgscDOJOAXS/ViYd8 +68FqC87VnG+bgTqG2atRqb493RoCHwZyL3L9JniadSk35d9JEQBWzCPff+kEy5Uc +bwzvSUJyCfjFdxU4YgH/bMt+RXi1mVjLcGTthRp4IfBxQcluI//rxP1kurrqq+lO +wj7n+h1wxrdhvXXDiAeBJqlQcBjeT0VLc74PYQJ3SbpeX1aFaxsVATGpgXf3SWp+ +8vRCmzM9CnyZW8BeaXBrkwiZQEOeiqnQ0MWaD/8Fs6WWfiyoObJcadmS7HgqCfw7 +SwjSUjSPAr+Vr02P83S59u8ql0RWtDI8CCXcSc1t4u52lvXBdO3nKa9+PeW64I+A +UfqgJOmfhWZsoImV1pCx+RzY6luFp7H7JVACAi3Z1s24fsRhN5wVZ/hjKn7xGPv0 +O+zFVGWXs/JKl6Bv7xMR0epL+D0d13ahPZYHyLqLfdeJwg2HT1BUAPy+QCy5rhzS +iEjeygqVzwNTcBPnu1PFhzXSdGMvHKTFXwO5xPwqanvKUd9zH6Xxan5wAJL7yRPq +7/MSEqUFiE+OfVTeZ3PDduLrkrQm0ZIgTl4EkUNn70YbzrPnEDh7EMETNnAqjNU3 +5iwELxRyxjUdSaIuF/5gSfc4DG/c8miUrYAaXyqMuJWuF7aNnVnSQJDZCjnf//Yy +KQARAQABiQQ+BBgBCAAJBQJYEeJoAhsCAikJENWh1PJm3o3fwV0gBBkBCAAGBQJY +EeJoAAoJEKJlgfIZyDFMyBwP/ih4/pKyfQOdgP03IXK0v9dhKOs+PcSAd4BC+ACV +kDz+N4Pui7/6FJ7+hSJE7Tf2vcWYYbtTrVCz335VCf5zWC/Tz8aXs9MOBlMeZNOS +2Fsi8P1KOv2BD7qi+m6fkHJ59hDXp2SzvmYRNRgn3N1QpuJl6bjssLmG7X+8NrNA +JZedzfXmvxDfnxaqKTwGotlJXVo5b/wB1ZXn7yr3zecuXKvcG1SJTGCSyK98jyip +S/0qAOqzd6FPbNEl/4ehKPX5STdZytTzN8lcbtfTMUA6qLqe/5Tvt50n8yDD3bEh +ripRSaC2BoVDADwxo7kDhTO6c1xCNMdG/9dHMelbzOPuxJhVMkNzL+dR5V6Q3Clt +I2rjANqWq/3G7kA4oaItoYOYnh9J8a7P/bkMFbrGEYmaYu9PCqLY5NzqaCKlNyJP +Fy8u0TdBhiyoBWWarTN6fZwTG6MotHPi9q0iWPfsb9kyoRJWIcvEJq+Vi0wE0+9/ +kXgibqh76U5JekysGV/dBgXaPF4XAPCpBaEe9sbD2PVeUDZPuVeo3c8iGPK1NxmJ +dt1ktfCcuV3MYCo1DGifuOCCvVaJms6IEFjLPAEQmTGhRSVzTWZ7J8HoDqulhlJh +HxLT7KI9z85238zplUarSEZ42gNT5SQd35prGVlJDVBwRm2NmJurcfU/EcPi++eD +0hJhWrYP/3lW/OOkR5NZCK8HhKYM2kBcAsOC/6x5vV1VISslZY2LB3jKq+XhXlPO +cEmQVMPliBx4yuFrPOKk1+87D9bEL5LJBQskgQwFe2Pg9QirIYflO+P+1LJK3U/g +3NnlkSrOTRV0M/AvhtU/8R3V2V423pm3sjQsaRdMMtWGfsFNJxvotBkwgEDwDu7h +sZqzL0zFucm+iMAhGnqi+EZEPXwbX1Utp7S8edBCztfytQMjnJ6jv4UCz///rc3i +8IDlMo2d19CW/psPS4v7lns5g9oqCGpRbGRllrBV1M/o7bs7+1NyvPTJm9UAmt5U +iApao4vt4YOG5w0vYd0t50pDS/j3TGjbakgxZpNUMpAgrhnelClKDsXbCVGCyhlJ +ZOw9Q9t4vIAhFFSpxEDl1NREOUInoK3R4yo4Ep4sq6cbfZvoyAYZf1zpQHQX9OBN +DKp1jwGLA3+0Jna2/1QUYFLjFiz9bdL+1nT9k/RStFBauRh529r+M1WlkwqNIL+L +bRGm0rXbWu9eiLhq2ldnfIADOtccUll10RznrjumqgYYw2CI0YUudzpzIghAKZyo +THYPADmBfvN2pZa/KU3c1OSKHOH2b91Xi97k3u0fECMHLgXctA3BkQ69fONSzx/c +abgtcydAU0wAD3mG3mr1XI96uOMeVNK0wgYyO5VhzZNziSFhls0D +=kwTD +-----END PGP PUBLIC KEY BLOCK----- diff --git a/user_salt/mullvad-vpn/files/mullvad.list b/user_salt/mullvad-vpn/files/mullvad.list new file mode 100644 index 0000000..2c63be1 --- /dev/null +++ b/user_salt/mullvad-vpn/files/mullvad.list @@ -0,0 +1 @@ +deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=amd64] https://repository.mullvad.net/deb/stable bookworm main diff --git a/user_salt/mullvad-vpn/files/qubes-firewall-user-script b/user_salt/mullvad-vpn/files/qubes-firewall-user-script new file mode 100644 index 0000000..2a42283 --- /dev/null +++ b/user_salt/mullvad-vpn/files/qubes-firewall-user-script @@ -0,0 +1,4 @@ +nft add rule ip qubes custom-forward tcp flags syn / syn,rst tcp option maxseg size set rt mtu +# Prevent the qube to forward traffic outside of the VPN +nft add rule qubes custom-forward oifname eth0 counter drop +nft add rule ip6 qubes custom-forward oifname eth0 counter drop diff --git a/user_salt/mullvad-vpn/files/rc.local b/user_salt/mullvad-vpn/files/rc.local new file mode 100644 index 0000000..e62a015 --- /dev/null +++ b/user_salt/mullvad-vpn/files/rc.local @@ -0,0 +1 @@ +/usr/local/bin/mullvad-dns.sh & diff --git a/user_salt/mullvad-vpn/init.sls b/user_salt/mullvad-vpn/init.sls new file mode 100644 index 0000000..66247be --- /dev/null +++ b/user_salt/mullvad-vpn/init.sls @@ -0,0 +1,6 @@ +include: + - mullvad-vpn.mullvad-vpn--create-template + - mullvad-vpn.mullvad-vpn--configure-repos + - mullvad-vpn.mullvad-vpn--install-packages + - mullvad-vpn.mullvad-vpn--create-app-qubes + - mullvad-vpn.mullvad-vpn--dns-config diff --git a/user_salt/mullvad-vpn/mullvad-vpn--configure-repos.sls b/user_salt/mullvad-vpn/mullvad-vpn--configure-repos.sls new file mode 100644 index 0000000..82c2df3 --- /dev/null +++ b/user_salt/mullvad-vpn/mullvad-vpn--configure-repos.sls @@ -0,0 +1,11 @@ +{% if grains['id'] == 'template-vpn-mullvad' or grains['id'] == 'template-vpn-mullvad-for-tor' %} + +mullvad-vpn--configure-repos: + file.managed: + - names: + - /usr/share/keyrings/mullvad-keyring.asc: + - source: salt://mullvad-vpn/files/mullvad-keyring.asc + - /etc/apt/sources.list.d/mullvad.list: + - source: salt://mullvad-vpn/files/mullvad.list + +{% endif %} diff --git a/user_salt/mullvad-vpn/mullvad-vpn--create-app-qubes.sls b/user_salt/mullvad-vpn/mullvad-vpn--create-app-qubes.sls new file mode 100644 index 0000000..f629d36 --- /dev/null +++ b/user_salt/mullvad-vpn/mullvad-vpn--create-app-qubes.sls @@ -0,0 +1,85 @@ +{% if grains['id'] == 'dom0' %} + +sys-vpn-mullvad--create-app-qube: + qvm.vm: + - name: app-vpn-mullvad + - present: + - template: template-vpn-mullvad + - label: red + - template_for_dispvms: True + - prefs: + - label: red + - autostart: False + - provides-network: False + - template_for_dispvms: True + - audiovm: + - guivm: dom0 + - netvm: + - features: + - set: + - menu-items: debian-xterm.desktop mullvad-vpn.desktop + - require: + - qvm: mullvad-vpn--create-template + +sys-vpn-mullvad--create-qube: + qvm.vm: + - name: sys-vpn-mullvad + - present: + - template: app-vpn-mullvad + - label: red + - class: DispVM + - prefs: + - label: red + - autostart: True + - provides-network: True + - audiovm: + - guivm: dom0 + - netvm: sys-firewall + - features: + - set: + - menu-items: debian-xterm.desktop mullvad-vpn.desktop + - require: + - qvm: sys-vpn-mullvad--create-app-qube + +sys-vpn-mullvad--create-app-qube-for-tor: + qvm.vm: + - name: app-vpn-mullvad-for-tor + - present: + - template: template-vpn-mullvad-for-tor + - label: red + - template_for_dispvms: True + - prefs: + - label: red + - autostart: False + - provides-network: False + - template_for_dispvms: True + - audiovm: + - guivm: dom0 + - netvm: + - features: + - set: + - menu-items: debian-xterm.desktop mullvad-vpn.desktop + - require: + - qvm: mullvad-vpn--create-template-for-tor + +sys-vpn-mullvad--create-qube-for-tor: + qvm.vm: + - name: sys-vpn-mullvad-for-tor + - present: + - template: app-vpn-mullvad-for-tor + - label: red + - class: DispVM + - prefs: + - label: red + - autostart: True + - provides-network: True + - audiovm: + - guivm: dom0 + - netvm: sys-firewall + - features: + - set: + - menu-items: debian-xterm.desktop mullvad-vpn.desktop + - require: + - qvm: sys-vpn-mullvad--create-app-qube-for-tor + +{% endif %} diff --git a/user_salt/mullvad-vpn/mullvad-vpn--create-template.sls b/user_salt/mullvad-vpn/mullvad-vpn--create-template.sls new file mode 100644 index 0000000..e07516b --- /dev/null +++ b/user_salt/mullvad-vpn/mullvad-vpn--create-template.sls @@ -0,0 +1,36 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-debian-minimal + +{% if grains['id'] == 'dom0' %} + +mullvad-vpn--create-template: + qvm.clone: + - name: template-vpn-mullvad + - source: debian-{{ version.debian }}-minimal + - class: TemplateVM + +mullvad-vpn--template-prefs: + qvm.prefs: + - name: template-vpn-mullvad + - label: red + - audiovm: + - guivm: + - netvm: + +mullvad-vpn--create-template-for-tor: + qvm.clone: + - name: template-vpn-mullvad-for-tor + - source: debian-{{ version.debian }}-minimal + - class: TemplateVM + +mullvad-vpn--template-prefs-for-tor: + qvm.prefs: + - name: template-vpn-mullvad-for-tor + - label: red + - audiovm: + - guivm: + - netvm: + +{% endif %} diff --git a/user_salt/mullvad-vpn/mullvad-vpn--dns-config.sls b/user_salt/mullvad-vpn/mullvad-vpn--dns-config.sls new file mode 100644 index 0000000..4ed0519 --- /dev/null +++ b/user_salt/mullvad-vpn/mullvad-vpn--dns-config.sls @@ -0,0 +1,18 @@ +{% if grains['id'] == 'app-vpn-mullvad' or grains['id'] == 'app-vpn-mullvad-for-tor' %} + +mullvad-vpn--dns-config: + file.managed: + - names: + - /usr/local/bin/mullvad-dns.sh: + - source: salt://mullvad-vpn/files/mullvad-dns.sh + - mode: 755 + +mullvad-vpn--dns-config-appends: + file.append: + - names: + - /rw/config/rc.local: + - source: salt://mullvad-vpn/files/rc.local + - /rw/config/qubes-firewall-user-script: + - source: salt://mullvad-vpn/files/qubes-firewall-user-script + +{% endif %} diff --git a/user_salt/mullvad-vpn/mullvad-vpn--install-packages.sls b/user_salt/mullvad-vpn/mullvad-vpn--install-packages.sls new file mode 100644 index 0000000..32f6952 --- /dev/null +++ b/user_salt/mullvad-vpn/mullvad-vpn--install-packages.sls @@ -0,0 +1,15 @@ +{% if grains['id'] == 'template-vpn-mullvad' or grains['id'] == 'template-vpn-mullvad-for-tor' %} + +mullvad-vpn--install-packages: + pkg.installed: + - refresh: True + - pkgs: + - qubes-core-agent-networking + - mullvad-vpn + - libnss3 + - inotify-tools + - libasound2 + - require: + - file: mullvad-vpn--configure-repos + +{% endif %} diff --git a/user_salt/notes/init.sls b/user_salt/notes/init.sls new file mode 100644 index 0000000..aa8fc7f --- /dev/null +++ b/user_salt/notes/init.sls @@ -0,0 +1,4 @@ +include: + - notes.notes--create-template + - notes.notes--install-packages + - notes.notes--create-app-qube diff --git a/user_salt/notes/notes--create-app-qube.sls b/user_salt/notes/notes--create-app-qube.sls new file mode 100644 index 0000000..fd16451 --- /dev/null +++ b/user_salt/notes/notes--create-app-qube.sls @@ -0,0 +1,23 @@ +{% if grains['id'] == 'dom0' %} + +notes--create-app-qube: + qvm.vm: + - name: q-notes + - present: + - template: template-notes + - label: black + - prefs: + - label: black + - audiovm: + - guivm: dom0 + - netvm: + - features: + - set: + - menu-items: debian-xterm.desktop + - service: + - enable: + - shutdown-idle + - require: + - qvm: notes--create-template + +{% endif %} diff --git a/user_salt/notes/notes--create-template.sls b/user_salt/notes/notes--create-template.sls new file mode 100644 index 0000000..b21dbc9 --- /dev/null +++ b/user_salt/notes/notes--create-template.sls @@ -0,0 +1,26 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-debian-minimal + +{% if grains['id'] == 'dom0' %} + +notes--create-template: + qvm.clone: + - name: template-notes + - source: debian-{{ version.debian }}-minimal + - class: TemplateVM + - require: + - qvm: templates--install-debian-{{ version.debian }}-minimal + +notes--create-template-prefs: + qvm.prefs: + - name: template-notes + - label: black + - netvm: + - audiovm: + - guivm: + - require: + - qvm: notes--create-template + +{% endif %} diff --git a/user_salt/notes/notes--install-packages.sls b/user_salt/notes/notes--install-packages.sls new file mode 100644 index 0000000..72d5a8f --- /dev/null +++ b/user_salt/notes/notes--install-packages.sls @@ -0,0 +1,8 @@ +{% if grains['id'] == 'template-notes' %} + +notes--install-packages: + pkg.installed: + - pkgs: + - qubes-app-shutdown-idle + +{% endif %} diff --git a/user_salt/pwmanager/init.sls b/user_salt/pwmanager/init.sls new file mode 100644 index 0000000..eb54f33 --- /dev/null +++ b/user_salt/pwmanager/init.sls @@ -0,0 +1,4 @@ +include: + - pwmanager.pwmanager--create-template + - pwmanager.pwmanager--create-app-qube + - pwmanager.pwmanager--install-packages diff --git a/user_salt/pwmanager/pwmanager--create-app-qube.sls b/user_salt/pwmanager/pwmanager--create-app-qube.sls new file mode 100644 index 0000000..29f686e --- /dev/null +++ b/user_salt/pwmanager/pwmanager--create-app-qube.sls @@ -0,0 +1,21 @@ +{% if grains['id'] == 'dom0' %} + +pwmanager--create-app-qube: + qvm.vm: + - name: q-pwmanager + - present: + - template: template-pwmanager + - label: black + - prefs: + - label: black + - template_for_dispvms: True + - audiovm: + - guivm: dom0 + - netvm: + - features: + - set: + - menu-items: org.keepassxc.KeePassXC.desktop debian-xterm.desktop + - require: + - qvm: pwmanager--create-template + +{% endif %} diff --git a/user_salt/pwmanager/pwmanager--create-template.sls b/user_salt/pwmanager/pwmanager--create-template.sls new file mode 100644 index 0000000..637147b --- /dev/null +++ b/user_salt/pwmanager/pwmanager--create-template.sls @@ -0,0 +1,25 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-debian-minimal + +{% if grains['id'] == 'dom0' %} + +pwmanager--create-template: + qvm.clone: + - name: template-pwmanager + - source: debian-{{ version.debian }}-minimal + - class: TemplateVM + - require: + - qvm: templates--install-debian-{{ version.debian }}-minimal + +wmanager--create-template-prefs: + qvm.prefs: + - name: template-pwmanager + - audiovm: + - guivm: + - netvm: + - require: + - qvm: pwmanager--create-template + +{% endif %} diff --git a/user_salt/pwmanager/pwmanager--install-packages.sls b/user_salt/pwmanager/pwmanager--install-packages.sls new file mode 100644 index 0000000..89c3216 --- /dev/null +++ b/user_salt/pwmanager/pwmanager--install-packages.sls @@ -0,0 +1,9 @@ +{% if grains['id'] == 'template-pwmanager' %} + +template-pwmanager-install-apps: + pkg.installed: + - install_recommends: True + - pkgs: + - keepassxc + +{% endif %} diff --git a/user_salt/split-btc/init.sls b/user_salt/split-btc/init.sls new file mode 100644 index 0000000..a7cf7dd --- /dev/null +++ b/user_salt/split-btc/init.sls @@ -0,0 +1,5 @@ +include: + - split-btc.split-btc--create-templates + - split-btc.split-btc--create-app-qubes + - split-btc.split-btc--create-qubes + - split-btc.split-btc--install-packages diff --git a/user_salt/split-btc/split-btc--create-app-qubes.sls b/user_salt/split-btc/split-btc--create-app-qubes.sls new file mode 100644 index 0000000..3d2e23a --- /dev/null +++ b/user_salt/split-btc/split-btc--create-app-qubes.sls @@ -0,0 +1,45 @@ +{% if grains['id'] == 'dom0' %} + +split-btc--create-app-offline-qube: + qvm.vm: + - name: app-btc-offline + - present: + - template: template-btc-offline + - label: black + - prefs: + - label: black + - audiovm: + - guivm: dom0 + - netvm: + - template_for_dispvms: True + - features: + - set: + - menu-items: debian-xterm.desktop electrum.desktop + - service: + - enable: + - shutdown-idle + - require: + - qvm: offline-btc--create-template + +split-btc--create-app-qube: + qvm.vm: + - name: app-btc + - present: + - template: template-btc + - label: red + - prefs: + - label: red + - audiovm: + - guivm: dom0 + - netvm: + - template_for_dispvms: True + - features: + - set: + - menu-items: debian-xterm.desktop electrum.desktop + - service: + - enable: + - shutdown-idle + - require: + - qvm: btc--create-template + +{% endif %} diff --git a/user_salt/split-btc/split-btc--create-qubes.sls b/user_salt/split-btc/split-btc--create-qubes.sls new file mode 100644 index 0000000..b22e517 --- /dev/null +++ b/user_salt/split-btc/split-btc--create-qubes.sls @@ -0,0 +1,39 @@ +{% if grains['id'] == 'dom0' %} + +split-btc--create-split-offline-qube: + qvm.vm: + - name: q-btc-offline + - present: + - template: app-btc-offline + - label: black + - class: DispVM + - prefs: + - label: black + - netvm: + - audiovm: + - guivm: dom0 + - service: + - enable: + - shutdown-idle + - require: + - qvm: split-btc--create-app-offline-qube + +split-btc--create-btc-qube: + qvm.vm: + - name: q-btc + - present: + - template: app-btc + - label: red + - class: DispVM + - prefs: + - label: red + - audiovm: + - guivm: dom0 + - netvm: sys-vpn-mullvad + - service: + - enable: + - shutdown-idle + - require: + - qvm: split-btc--create-app-qube + +{% endif %} diff --git a/user_salt/split-btc/split-btc--create-templates.sls b/user_salt/split-btc/split-btc--create-templates.sls new file mode 100644 index 0000000..ab22bc8 --- /dev/null +++ b/user_salt/split-btc/split-btc--create-templates.sls @@ -0,0 +1,44 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-debian-minimal + +{% if grains['id'] == 'dom0' %} + +offline-btc--create-template: + qvm.clone: + - name: template-btc-offline + - source: debian-{{ version.debian }}-minimal + - class: TemplateVM + - require: + - qvm: templates--install-debian-{{ version.debian }}-minimal + +offline-btc--template-prefs: + qvm.prefs: + - name: template-btc-offline + - label: black + - audiovm: + - guivm: + - netvm: + - require: + - qvm: offline-btc--create-template + +btc--create-template: + qvm.clone: + - name: template-btc + - source: debian-12-minimal + - class: TemplateVM + - require: + - qvm: templates--install-debian-{{ version.debian }}-minimal + +btc--template-prefs: + qvm.prefs: + - name: template-btc + - label: red + - audiovm: + - guivm: + - netvm: + - require: + - qvm: btc--create-template + +{% endif %} diff --git a/user_salt/split-btc/split-btc--install-packages.sls b/user_salt/split-btc/split-btc--install-packages.sls new file mode 100644 index 0000000..25cf826 --- /dev/null +++ b/user_salt/split-btc/split-btc--install-packages.sls @@ -0,0 +1,23 @@ +{% if grains['id'] == 'template-btc-offline' %} + +template-btc-offline--install-packages: + pkg.installed: + - refresh: True + - pkgs: + - qubes-app-shutdown-idle + - electrum + +{% endif %} + + +{% if grains['id'] == 'template-btc' %} + +template-btc--install-packages: + pkg.installed: + - refresh: True + - pkgs: + - qubes-core-agent-networking + - qubes-app-shutdown-idle + - electrum + +{% endif %} diff --git a/user_salt/split-gpg-legacy/files/gpg-split-domain b/user_salt/split-gpg-legacy/files/gpg-split-domain new file mode 100644 index 0000000..5760388 --- /dev/null +++ b/user_salt/split-gpg-legacy/files/gpg-split-domain @@ -0,0 +1 @@ +q-split-gpg diff --git a/user_salt/split-gpg-legacy/init.sls b/user_salt/split-gpg-legacy/init.sls new file mode 100644 index 0000000..78ef1a3 --- /dev/null +++ b/user_salt/split-gpg-legacy/init.sls @@ -0,0 +1,5 @@ +include: + - split-gpg-legacy.split-gpg-legacy--create-template + - split-gpg-legacy.split-gpg-legacy--create-app-qube + - split-gpg-legacy.split-gpg-legacy--create-qube + - split-gpg-legacy.split-gpg-legacy--install-packages diff --git a/user_salt/split-gpg-legacy/split-gpg-legacy--create-app-qube.sls b/user_salt/split-gpg-legacy/split-gpg-legacy--create-app-qube.sls new file mode 100644 index 0000000..535f7cb --- /dev/null +++ b/user_salt/split-gpg-legacy/split-gpg-legacy--create-app-qube.sls @@ -0,0 +1,21 @@ +{% if grains['id'] == 'dom0' %} + +split-gpg-legacy--create-app-qube: + qvm.vm: + - name: app-split-gpg-legacy + - present: + - template: template-split-gpg-legacy + - label: black + - prefs: + - label: black + - audiovm: + - guivm: dom0 + - netvm: + - template_for_dispvms: True + - service: + - enable: + - shutdown-idle + - require: + - qvm: split-gpg-legacy--create-template + +{% endif %} diff --git a/user_salt/split-gpg-legacy/split-gpg-legacy--create-qube.sls b/user_salt/split-gpg-legacy/split-gpg-legacy--create-qube.sls new file mode 100644 index 0000000..e02106d --- /dev/null +++ b/user_salt/split-gpg-legacy/split-gpg-legacy--create-qube.sls @@ -0,0 +1,21 @@ +{% if grains['id'] == 'dom0' %} + +split-gpg-legacy--create-split-gpg-qube: + qvm.vm: + - name: q-split-gpg-legacy + - present: + - template: app-split-gpg-legacy + - label: black + - class: DispVM + - prefs: + - label: black + - audiovm: + - guivm: dom0 + - netvm: + - service: + - enable: + - shutdown-idle + - require: + - qvm: split-gpg-legacy--create-app-qube + +{% endif %} diff --git a/user_salt/split-gpg-legacy/split-gpg-legacy--create-template.sls b/user_salt/split-gpg-legacy/split-gpg-legacy--create-template.sls new file mode 100644 index 0000000..c2d554e --- /dev/null +++ b/user_salt/split-gpg-legacy/split-gpg-legacy--create-template.sls @@ -0,0 +1,27 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-debian-minimal + +{% if grains['id'] == 'dom0' %} + +split-gpg-legacy--create-template: + qvm.clone: + - name: template-split-gpg-legacy + - source: debian-{{ version.debian }}-minimal + - class: TemplateVM + - require: + - qvm: templates--install-debian-{{ version.debian }}-minimal + +split-gpg-legacy--template-prefs: + qvm.prefs: + - name: template-split-gpg-legacy + - label: black + - audiovm: + - guivm: dom0 + - netvm: + - require: + - qvm: split-gpg-legacy--create-template + +{% endif %} + diff --git a/user_salt/split-gpg-legacy/split-gpg-legacy--install-packages.sls b/user_salt/split-gpg-legacy/split-gpg-legacy--install-packages.sls new file mode 100644 index 0000000..97977d9 --- /dev/null +++ b/user_salt/split-gpg-legacy/split-gpg-legacy--install-packages.sls @@ -0,0 +1,11 @@ +{% if grains['id'] == 'template-split-gpg-legacy' %} + +template-split-gpg-legacy--install-packages: + pkg.installed: + - refresh: True + - pkgs: + - qubes-gpg-split + - qubes-app-shutdown-idle + - gnupg + +{% endif %} diff --git a/user_salt/split-gpg/files/30-user-gpg2.policy b/user_salt/split-gpg/files/30-user-gpg2.policy new file mode 100644 index 0000000..53e4b5e --- /dev/null +++ b/user_salt/split-gpg/files/30-user-gpg2.policy @@ -0,0 +1 @@ +qubes.Gpg2 + q-ssh @default allow target=q-split-gpg diff --git a/user_salt/split-gpg/files/ownertrust-export b/user_salt/split-gpg/files/ownertrust-export new file mode 100644 index 0000000..0122fa7 --- /dev/null +++ b/user_salt/split-gpg/files/ownertrust-export @@ -0,0 +1,3 @@ +# List of assigned trustvalues, created Fri Mar 14 10:43:10 2025 CET +# (Use "gpg --import-ownertrust" to restore them) +C1E78CE601392ABCC49072A0B204131BB15B20FE:6: diff --git a/user_salt/split-gpg/files/public-keys-export b/user_salt/split-gpg/files/public-keys-export new file mode 100644 index 0000000000000000000000000000000000000000..f76ba6dc653eeb5e5506ce8f0a5486b2ebe40d74 GIT binary patch literal 411 zcmbPX%#wcj^HecTZ8k<0##`?EjEw9KA%UA%XIxfXtCPribMmzCt&S;rC!cPr>uZp! zX;S#8WwAvfG2J0CFQq6ou{b>^u{a~Kv^cd$FF8NAV;YOF7zcwLlQc6cHzx->6PqX( zCkHnZix?9#Ba<8>lX!!eBFn+&J7k6QAb;LA^X`#M-`?l= zo_X5jv-6(MSmXEY*J7>{JOakszX_kyV`k)F@2Fsr0QyJ)kF!5dWs>GWc5`V8Bg0Si zpq6sc$rmr3(B#hcIP}?Sb6fS4=sYLi6=w^4x<8(0WN0rBdYs;(lq?+;&a!6*V{hi9 TgUT$=*FXBe_t37bERYodJan55 literal 0 HcmV?d00001 diff --git a/user_salt/split-gpg/init.sls b/user_salt/split-gpg/init.sls new file mode 100644 index 0000000..eaf7972 --- /dev/null +++ b/user_salt/split-gpg/init.sls @@ -0,0 +1,6 @@ +include: + - split-gpg.split-gpg--create-template + - split-gpg.split-gpg--create-app-qube + - split-gpg.split-gpg--create-qube + - split-gpg.split-gpg--configure-policy + - split-gpg.split-gpg--install-packages diff --git a/user_salt/split-gpg/split-gpg--configure-gpg.sls b/user_salt/split-gpg/split-gpg--configure-gpg.sls new file mode 100644 index 0000000..6ac671c --- /dev/null +++ b/user_salt/split-gpg/split-gpg--configure-gpg.sls @@ -0,0 +1,24 @@ +{% if grains['id'] not in ['dom0', 'template-split-gpg', 'app-split-gpg'] %} + +split-gpg--configure-gpg-import-files: + file.managed: + - mode: 644 + - names: + - /tmp/public-keys-export: + - source: salt://split-gpg/files/public-keys-export + - /tmp/ownertrust-export: + - source: salt://split-gpg/files/ownertrust-export + +split-gpg--configure-public-keys-import: + cmd.run: + - name: "su - user -c 'gpg --import /tmp/public-keys-export'" + - require: + - file: split-gpg--configure-gpg-import-files + +split-gpg--configure-ownertrust-import: + cmd.run: + - name: "su - user -c 'gpg --import-ownertrust /tmp/ownertrust-export'" + - require: + - file: split-gpg--configure-gpg-import-files + +{% endif %} diff --git a/user_salt/split-gpg/split-gpg--configure-policy.sls b/user_salt/split-gpg/split-gpg--configure-policy.sls new file mode 100644 index 0000000..f643200 --- /dev/null +++ b/user_salt/split-gpg/split-gpg--configure-policy.sls @@ -0,0 +1,8 @@ +{% if grains['id'] == 'dom0' %} + +split-gpg--configure-policy: + file.managed: + - name: /etc/qubes/policy.d/30-user-gpg2.policy + - source: salt://split-gpg/files/30-user-gpg2.policy + +{% endif %} diff --git a/user_salt/split-gpg/split-gpg--create-app-qube.sls b/user_salt/split-gpg/split-gpg--create-app-qube.sls new file mode 100644 index 0000000..3c9c738 --- /dev/null +++ b/user_salt/split-gpg/split-gpg--create-app-qube.sls @@ -0,0 +1,21 @@ +{% if grains['id'] == 'dom0' %} + +split-gpg--create-app-qube: + qvm.vm: + - name: app-split-gpg + - present: + - template: template-split-gpg + - label: black + - prefs: + - label: black + - audiovm: + - guivm: dom0 + - netvm: + - template_for_dispvms: True + - service: + - enable: + - shutdown-idle + - require: + - qvm: split-gpg--create-template + +{% endif %} diff --git a/user_salt/split-gpg/split-gpg--create-qube.sls b/user_salt/split-gpg/split-gpg--create-qube.sls new file mode 100644 index 0000000..9a04ba0 --- /dev/null +++ b/user_salt/split-gpg/split-gpg--create-qube.sls @@ -0,0 +1,21 @@ +{% if grains['id'] == 'dom0' %} + +split-gpg--create-split-gpg-qube: + qvm.vm: + - name: q-split-gpg + - present: + - template: app-split-gpg + - label: black + - class: DispVM + - prefs: + - label: black + - audiovm: + - guivm: dom0 + - netvm: + - service: + - enable: + - shutdown-idle + - require: + - qvm: split-gpg--create-app-qube + +{% endif %} diff --git a/user_salt/split-gpg/split-gpg--create-template.sls b/user_salt/split-gpg/split-gpg--create-template.sls new file mode 100644 index 0000000..689c5a7 --- /dev/null +++ b/user_salt/split-gpg/split-gpg--create-template.sls @@ -0,0 +1,27 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-debian-minimal + +{% if grains['id'] == 'dom0' %} + +split-gpg--create-template: + qvm.clone: + - name: template-split-gpg + - source: debian-{{ version.debian }}-minimal + - class: TemplateVM + - require: + - qvm: templates--install-debian-{{ version.debian }}-minimal + +split-gpg--template-prefs: + qvm.prefs: + - name: template-split-gpg + - label: black + - audiovm: + - guivm: dom0 + - netvm: + - require: + - qvm: split-gpg--create-template + +{% endif %} + diff --git a/user_salt/split-gpg/split-gpg--install-packages.sls b/user_salt/split-gpg/split-gpg--install-packages.sls new file mode 100644 index 0000000..f9ce7d7 --- /dev/null +++ b/user_salt/split-gpg/split-gpg--install-packages.sls @@ -0,0 +1,19 @@ +{% if grains['id'] == 'template-split-gpg' %} + +template-split-gpg--install-packages: + pkg.installed: + - refresh: True + - pkgs: + - qubes-app-shutdown-idle + - split-gpg2 + - gnupg + +{% elif grains['id'] == 'dom0' %} + +template-split-gpg--install-domzero-packages: + pkg.installed: + - refresh: True + - pkgs: + - split-gpg2-dom0 + +{% endif %} diff --git a/user_salt/split-ssh/files/50-ssh.policy b/user_salt/split-ssh/files/50-ssh.policy new file mode 100644 index 0000000..d93dbd9 --- /dev/null +++ b/user_salt/split-ssh/files/50-ssh.policy @@ -0,0 +1,2 @@ +qubes.SshAgent * q-ssh q-split-ssh ask default_target=q-split-ssh +qubes.SshAgent * q-dev q-split-ssh ask default_target=q-split-ssh diff --git a/user_salt/split-ssh/files/bashrc b/user_salt/split-ssh/files/bashrc new file mode 100644 index 0000000..65b3503 --- /dev/null +++ b/user_salt/split-ssh/files/bashrc @@ -0,0 +1,9 @@ +# SPLIT SSH CONFIGURATION >>> +# replace "vault" with your AppVM name which stores the ssh private key(s) +SSH_VAULT_VM="q-split-ssh" + +if [ "$SSH_VAULT_VM" != "" ]; then + export SSH_AUTH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM" +fi +# <<< SPLIT SSH CONFIGURATION + diff --git a/user_salt/split-ssh/files/qubes.SshAgent b/user_salt/split-ssh/files/qubes.SshAgent new file mode 100644 index 0000000..7c1c0de --- /dev/null +++ b/user_salt/split-ssh/files/qubes.SshAgent @@ -0,0 +1,8 @@ +#!/bin/sh +# Qubes App Split SSH Script + +# safeguard - Qubes notification bubble for each ssh request +notify-send "[$(qubesdb-read /name)] SSH agent access from: $QREXEC_REMOTE_DOMAIN" + +# SSH connection +socat - "UNIX-CONNECT:$SSH_AUTH_SOCK" diff --git a/user_salt/split-ssh/files/rc.local b/user_salt/split-ssh/files/rc.local new file mode 100644 index 0000000..775ef19 --- /dev/null +++ b/user_salt/split-ssh/files/rc.local @@ -0,0 +1,10 @@ +# SPLIT SSH CONFIGURATION >>> +# replace "vault" with your AppVM name which stores the ssh private key(s) +SSH_VAULT_VM="q-split-ssh" + +if [ "$SSH_VAULT_VM" != "" ]; then + export SSH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM" + rm -f "$SSH_SOCK" + sudo -u user /bin/sh -c "umask 177 && exec socat 'UNIX-LISTEN:$SSH_SOCK,fork' 'EXEC:qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent'" & +fi +# <<< SPLIT SSH CONFIGURATION diff --git a/user_salt/split-ssh/files/ssh-add.desktop b/user_salt/split-ssh/files/ssh-add.desktop new file mode 100644 index 0000000..7cc99c7 --- /dev/null +++ b/user_salt/split-ssh/files/ssh-add.desktop @@ -0,0 +1,4 @@ +[Desktop Entry] +Name=ssh-add +Exec=ssh-add -c +Type=Application diff --git a/user_salt/split-ssh/init.sls b/user_salt/split-ssh/init.sls new file mode 100644 index 0000000..715b44e --- /dev/null +++ b/user_salt/split-ssh/init.sls @@ -0,0 +1,6 @@ +include: + - split-ssh.split-ssh--create-templates + - split-ssh.split-ssh--install-packages + - split-ssh.split-ssh--create-app-qubes + - split-ssh.split-ssh--create-qubes + - split-ssh.split-ssh--configure diff --git a/user_salt/split-ssh/split-ssh--configure.sls b/user_salt/split-ssh/split-ssh--configure.sls new file mode 100644 index 0000000..5206e53 --- /dev/null +++ b/user_salt/split-ssh/split-ssh--configure.sls @@ -0,0 +1,47 @@ +{% if grains['id'] == 'dom0' %} + +split-ssh--configure-dom0: + file.managed: + - name: /etc/qubes/policy.d/50-ssh.policy + - source: salt://split-ssh/files/50-ssh.policy + +split-ssh--configure-firewall: + cmd.run: + - name: | + qvm-firewall q-ssh reset + qvm-firewall q-ssh del accept + qvm-firewall q-ssh add accept 138.199.226.242/32 proto=tcp + qvm-firewall q-ssh add accept 162.55.181.96/32 proto=tcp + qvm-firewall q-ssh add accept 116.202.96.31/32 proto=tcp + qvm-firewall q-ssh add drop + +{% elif grains['id'] == 'app-split-ssh' %} + +split-ssh--configure-app-split-ssh: + file.managed: + - name: /home/user/.config/autostart/ssh-add.desktop + - source: salt://split-ssh/files/ssh-add.desktop + - makedirs: True + +{% elif grains['id'] == 'template-split-ssh' %} + +split-ssh--configure-template-split-ssh: + file.managed: + - name: /etc/qubes-rpc/qubes.SshAgent + - source: salt://split-ssh/files/qubes.SshAgent + - mode: 755 + +{% elif grains['id'] == 'app-ssh' %} + +include: + - split-gpg.split-gpg--configure-gpg + +split-ssh--configure-app-ssh: + file.append: + - names: + - /rw/config/rc.local: + - source: salt://split-ssh/files/rc.local + - /home/user/.bashrc: + - source: salt://split-ssh/files/bashrc + +{% endif %} diff --git a/user_salt/split-ssh/split-ssh--create-app-qubes.sls b/user_salt/split-ssh/split-ssh--create-app-qubes.sls new file mode 100644 index 0000000..9488f06 --- /dev/null +++ b/user_salt/split-ssh/split-ssh--create-app-qubes.sls @@ -0,0 +1,43 @@ +{% if grains['id'] == 'dom0' %} + +split-ssh--create-app-split-qube: + qvm.vm: + - name: app-split-ssh + - present: + - template: template-split-ssh + - label: black + - prefs: + - label: black + - audiovm: + - guivm: dom0 + - netvm: + - template_for_dispvms: True + - features: + - set: + - menu-items: debian-xterm.desktop + - service: + - enable: + - shutdown-idle + - require: + - qvm: split-ssh--create-template + + +split-ssh--create-app-qube: + qvm.vm: + - name: app-ssh + - present: + - template: template-ssh + - label: yellow + - prefs: + - label: yellow + - audiovm: + - guivm: dom0 + - netvm: + - template_for_dispvms: True + - features: + - set: + - menu-items: debian-xterm.desktop + - require: + - qvm: ssh--create-template + +{% endif %} diff --git a/user_salt/split-ssh/split-ssh--create-qubes.sls b/user_salt/split-ssh/split-ssh--create-qubes.sls new file mode 100644 index 0000000..6427057 --- /dev/null +++ b/user_salt/split-ssh/split-ssh--create-qubes.sls @@ -0,0 +1,37 @@ +{% if grains['id'] == 'dom0' %} + +q-split-ssh--create-sys-qube: + qvm.vm: + - name: q-split-ssh + - present: + - template: app-split-ssh + - label: black + - class: DispVM + - prefs: + - label: black + - audiovm: + - guivm: dom0 + - netvm: + - service: + - enable: + - shutdown-idle + - split-gpg2-client + - require: + - qvm: split-ssh--create-app-split-qube + +q-ssh--create-sys-qube: + qvm.vm: + - name: q-ssh + - present: + - template: app-ssh + - label: yellow + - class: DispVM + - prefs: + - label: yellow + - audiovm: + - guivm: dom0 + - netvm: sys-vpn-mullvad + - require: + - qvm: split-ssh--create-app-qube + +{% endif %} diff --git a/user_salt/split-ssh/split-ssh--create-templates.sls b/user_salt/split-ssh/split-ssh--create-templates.sls new file mode 100644 index 0000000..4ee3c03 --- /dev/null +++ b/user_salt/split-ssh/split-ssh--create-templates.sls @@ -0,0 +1,44 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-debian-minimal + +{% if grains['id'] == 'dom0' %} + +split-ssh--create-template: + qvm.clone: + - name: template-split-ssh + - source: debian-{{ version.debian }}-minimal + - class: TemplateVM + - require: + - qvm: templates--install-debian-{{ version.debian }}-minimal + +split-ssh--template-split-ssh-prefs: + qvm.prefs: + - name: template-split-ssh + - label: black + - audiovm: + - guivm: + - netvm: + - require: + - qvm: split-ssh--create-template + +ssh--create-template: + qvm.clone: + - name: template-ssh + - source: debian-{{ version.debian }}-minimal + - class: TemplateVM + - require: + - qvm: templates--install-debian-{{ version.debian }}-minimal + +ssh--template-split-ssh-prefs: + qvm.prefs: + - name: template-ssh + - label: yellow + - audiovm: + - guivm: + - netvm: + - require: + - qvm: ssh--create-template + +{% endif %} diff --git a/user_salt/split-ssh/split-ssh--install-packages.sls b/user_salt/split-ssh/split-ssh--install-packages.sls new file mode 100644 index 0000000..7269234 --- /dev/null +++ b/user_salt/split-ssh/split-ssh--install-packages.sls @@ -0,0 +1,25 @@ +{% if grains['id'] == 'template-split-ssh' %} + +split-ssh--install-template-split-ssh: + pkg.installed: + - refresh: True + - pkgs: + - qubes-app-shutdown-idle + - ssh-askpass-gnome + - socat + - libnotify-bin + +{% elif grains['id'] == 'template-ssh' %} + +split-ssh--install-packages-template-ssh: + pkg.installed: + - refresh: True + - pkgs: + - qubes-core-agent-networking + - split-gpg2 + - openssh-client + - knockd + - salt-ssh + - git + +{% endif %} diff --git a/user_salt/sys-audio/files/50-sys-audio.policy b/user_salt/sys-audio/files/50-sys-audio.policy new file mode 100644 index 0000000..897f00e --- /dev/null +++ b/user_salt/sys-audio/files/50-sys-audio.policy @@ -0,0 +1,27 @@ +admin.Events * sys-audio @adminvm allow target=dom0 + +# TODO: check if more / less are required +admin.Events +property-set_audiovm sys-audio @tag:audiovm-sys-audio allow target=dom0 +admin.Events +property-pre-set_audiovm sys-audio @tag:audiovm-sys-audio allow target=dom0 +admin.Events +property-pre-reset_audiovm sys-audio @tag:audiovm-sys-audio allow target=dom0 +admin.Events +property-reset_audiovm sys-audio @tag:audiovm-sys-audio allow target=dom0 +admin.Events +property-reset_xid sys-audio @tag:audiovm-sys-audio allow target=dom0 +admin.Events +domain-stopped sys-audio @tag:audiovm-sys-audio allow target=dom0 +admin.Events +domain-shutdown sys-audio @tag:audiovm-sys-audio allow target=dom0 +admin.Events +domain-start sys-audio @tag:audiovm-sys-audio allow target=dom0 +admin.Events +connection-established sys-audio @tag:audiovm-sys-audio allow target=dom0 + +admin.vm.CurrentState * sys-audio @tag:audiovm-sys-audio allow target=dom0 +admin.vm.List * sys-audio @tag:audiovm-sys-audio allow target=dom0 +admin.vm.CurrentState * sys-audio @adminvm allow target=dom0 +admin.vm.List * sys-audio @adminvm allow target=dom0 + +admin.vm.property.Get +audiovm sys-audio @tag:audiovm-sys-audio allow target=dom0 +admin.vm.property.Get +xid sys-audio @tag:audiovm-sys-audio allow target=dom0 +admin.vm.feature.CheckWithTemplate +audio sys-audio @tag:audiovm-sys-audio allow target=dom0 +admin.vm.feature.CheckWithTemplate +audio-model sys-audio @tag:audiovm-sys-audio allow target=dom0 +admin.vm.feature.CheckWithTemplate +supported-service.pipewire sys-audio @tag:audiovm-sys-audio allow target=dom0 +admin.vm.feature.CheckWithTemplate +audio-low-latency sys-audio @tag:audiovm-sys-audio allow target=dom0 +admin.vm.property.Get +stubdom_xid sys-audio @tag:audiovm-sys-audio allow target=dom0 + +admin.vm.property.GetAll * sys-audio @tag:audiovm-sys-audio deny notify=no diff --git a/user_salt/sys-audio/init.sls b/user_salt/sys-audio/init.sls new file mode 100644 index 0000000..0bc5a7e --- /dev/null +++ b/user_salt/sys-audio/init.sls @@ -0,0 +1,6 @@ +include: + - sys-audio.sys-audio--create-template + - sys-audio.sys-audio--create-app-qube + - sys-audio.sys-audio--create-sys-qube + - sys-audio.sys-audio--install-packages + - sys-audio.sys-audio--configure-policy diff --git a/user_salt/sys-audio/sys-audio--configure-policy.sls b/user_salt/sys-audio/sys-audio--configure-policy.sls new file mode 100644 index 0000000..8d987e9 --- /dev/null +++ b/user_salt/sys-audio/sys-audio--configure-policy.sls @@ -0,0 +1,8 @@ +{% if grains['id'] == 'dom0' %} + +sys-audio--configure-policy: + file.managed: + - name: /etc/qubes/policy.d/50-sys-audio.policy + - source: salt://sys-audio/files/50-sys-audio.policy + +{% endif %} diff --git a/user_salt/sys-audio/sys-audio--create-app-qube.sls b/user_salt/sys-audio/sys-audio--create-app-qube.sls new file mode 100644 index 0000000..c1103e0 --- /dev/null +++ b/user_salt/sys-audio/sys-audio--create-app-qube.sls @@ -0,0 +1,22 @@ +{% if grains['id'] == 'dom0' %} + +sys-audio--create-app-qube: + qvm.vm: + - name: app-audio + - present: + - template: template-audio + - label: purple + - prefs: + - label: purple + - audiovm: + - guivm: + - netvm: + - autostart: False + - template_for_dispvms: True + - features: + - set: + - menu-items: debian-xterm.desktop + - require: + - qvm: sys-audio--create-template + +{% endif %} diff --git a/user_salt/sys-audio/sys-audio--create-sys-qube.sls b/user_salt/sys-audio/sys-audio--create-sys-qube.sls new file mode 100644 index 0000000..bb06e4e --- /dev/null +++ b/user_salt/sys-audio/sys-audio--create-sys-qube.sls @@ -0,0 +1,25 @@ +{% if grains['id'] == 'dom0' %} + +sys-audio--create-sys-qube: + qvm.vm: + - name: sys-audio + - present: + - template: app-audio + - label: purple + - class: DispVM + - prefs: + - label: purple + - autostart: True + - provides-network: True + - virt_mode: hvm + - maxmem: 0 + - audiovm: + - guivm: dom0 + - netvm: + - service: + - enable: + - audiovm + - require: + - qvm: sys-audio--create-app-qube + +{% endif %} diff --git a/user_salt/sys-audio/sys-audio--create-template.sls b/user_salt/sys-audio/sys-audio--create-template.sls new file mode 100644 index 0000000..b7b6af1 --- /dev/null +++ b/user_salt/sys-audio/sys-audio--create-template.sls @@ -0,0 +1,26 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-debian-minimal + +{% if grains['id'] == 'dom0' %} + +sys-audio--create-template: + qvm.clone: + - name: template-audio + - source: debian-{{ version.debian }}-minimal + - class: TemplateVM + - require: + - qvm: templates--install-debian-{{ version.debian }}-minimal + +sys-audio--template-prefs: + qvm.prefs: + - name: template-audio + - label: purple + - audiovm: + - guivm: + - netvm: + - require: + - qvm: sys-audio--create-template + +{% endif %} diff --git a/user_salt/sys-audio/sys-audio--install-packages.sls b/user_salt/sys-audio/sys-audio--install-packages.sls new file mode 100644 index 0000000..66afd14 --- /dev/null +++ b/user_salt/sys-audio/sys-audio--install-packages.sls @@ -0,0 +1,15 @@ +{% if grains['id'] == 'template-audio' %} + +sys-audio---install-packages: + pkg.installed: + - refresh: True + - pkgs: + - qubes-audio-daemon + - qubes-core-admin-client + - qubes-usb-proxy + - pipewire-qubes + - pavucontrol + - alsa-utils + - pasystray + +{% endif %} diff --git a/user_salt/sys-firewall/init.sls b/user_salt/sys-firewall/init.sls new file mode 100644 index 0000000..83ba5af --- /dev/null +++ b/user_salt/sys-firewall/init.sls @@ -0,0 +1,5 @@ +include: + - sys-firewall.sys-firewall--create-template + - sys-firewall.sys-firewall--install-packages + - sys-firewall.sys-firewall--create-app-qube + - sys-firewall.sys-firewall--configure-sys-qube diff --git a/user_salt/sys-firewall/sys-firewall--configure-sys-qube.sls b/user_salt/sys-firewall/sys-firewall--configure-sys-qube.sls new file mode 100644 index 0000000..1b1aef4 --- /dev/null +++ b/user_salt/sys-firewall/sys-firewall--configure-sys-qube.sls @@ -0,0 +1,19 @@ +{% if grains['id'] == 'dom0' %} + +sys-firewall--configure-sys-qube: + qvm.vm: + - name: sys-firewall + - present: + - template: app-firewall + - label: red + - class: DispVM + - prefs: + - label: red + - audiovm: + - guivm: + - netvm: sys-net + - autostart: True + - require: + - qvm: sys-firewall--create-app-qube + +{% endif %} diff --git a/user_salt/sys-firewall/sys-firewall--create-app-qube.sls b/user_salt/sys-firewall/sys-firewall--create-app-qube.sls new file mode 100644 index 0000000..3e0266d --- /dev/null +++ b/user_salt/sys-firewall/sys-firewall--create-app-qube.sls @@ -0,0 +1,19 @@ +{% if grains['id'] == 'dom0' %} + +sys-firewall--create-app-qube: + qvm.vm: + - name: app-firewall + - present: + - template: template-firewall + - label: red + - prefs: + - label: red + - audiovm: + - guivm: + - netvm: + - autostart: False + - template_for_dispvms: True + - require: + - qvm: sys-firewall--create-template + +{% endif %} diff --git a/user_salt/sys-firewall/sys-firewall--create-template.sls b/user_salt/sys-firewall/sys-firewall--create-template.sls new file mode 100644 index 0000000..2cff704 --- /dev/null +++ b/user_salt/sys-firewall/sys-firewall--create-template.sls @@ -0,0 +1,26 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-debian-minimal + +{% if grains['id'] == 'dom0' %} + +sys-firewall--create-template: + qvm.clone: + - name: template-firewall + - source: debian-12-minimal + - class: TemplateVM + - require: + - qvm: templates--install-debian-{{ version.debian }}-minimal + +sys-firewall--template-prefs: + qvm.prefs: + - name: template-firewall + - label: red + - audiovm: + - guivm: + - netvm: + - require: + - qvm: sys-firewall--create-template + +{% endif %} diff --git a/user_salt/sys-firewall/sys-firewall--install-packages.sls b/user_salt/sys-firewall/sys-firewall--install-packages.sls new file mode 100644 index 0000000..7bd0cc4 --- /dev/null +++ b/user_salt/sys-firewall/sys-firewall--install-packages.sls @@ -0,0 +1,10 @@ +{% if grains['id'] == 'template-firewall' %} + +sys-firewall--install-packages: + pkg.installed: + - refresh: True + - pkgs: + - qubes-core-agent-networking + - qubes-core-agent-dom0-updates + +{% endif %} diff --git a/user_salt/sys-net/init.sls b/user_salt/sys-net/init.sls new file mode 100644 index 0000000..7051c19 --- /dev/null +++ b/user_salt/sys-net/init.sls @@ -0,0 +1,5 @@ +include: + - sys-net.sys-net--create-template + - sys-net.sys-net--install-packages + - sys-net.sys-net--create-app-qube + - sys-net.sys-net--configure-sys-qube diff --git a/user_salt/sys-net/sys-net--configure-sys-qube.sls b/user_salt/sys-net/sys-net--configure-sys-qube.sls new file mode 100644 index 0000000..4dd0bb0 --- /dev/null +++ b/user_salt/sys-net/sys-net--configure-sys-qube.sls @@ -0,0 +1,17 @@ +{% if grains['id']== 'dom0' %} + +sys-net--configure-sys-qube: + qvm.vm: + - name: sys-net + - present: + - template: app-net + - label: red + - class: DispVM + - prefs: + - audiovm: + - guivm: + - netvm: + - require: + - sys-net--create-app-qube + +{% endif %} diff --git a/user_salt/sys-net/sys-net--create-app-qube.sls b/user_salt/sys-net/sys-net--create-app-qube.sls new file mode 100644 index 0000000..0ca6e25 --- /dev/null +++ b/user_salt/sys-net/sys-net--create-app-qube.sls @@ -0,0 +1,19 @@ +{% if grains['id'] == 'dom0' %} + +sys-net--create-app-qube: + qvm.vm: + - name: app-net + - present: + - template: template-net + - label: red + - prefs: + - label: red + - guivm: + - audiovm: + - netvm: + - autostart: False + - template_for_dispvms: True + - require: + - sys-net--create-template + +{% endif %} diff --git a/user_salt/sys-net/sys-net--create-template.sls b/user_salt/sys-net/sys-net--create-template.sls new file mode 100644 index 0000000..cb7e9c4 --- /dev/null +++ b/user_salt/sys-net/sys-net--create-template.sls @@ -0,0 +1,26 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-fedora-minimal + +{% if grains['id'] == 'dom0' %} + +sys-net--create-template: + qvm.clone: + - name: template-net + - source: fedora-{{ version.fedora }}-minimal + - class: TemplateVM + - require: + - qvm: templates--install-fedora-{{ version.fedora }}-minimal + +sys-net--template-prefs: + qvm.prefs: + - name: template-net + - label: red + - audiovm: + - guivm: + - netvm: + - require: + - qvm: sys-net--create-template + +{% endif %} diff --git a/user_salt/sys-net/sys-net--install-packages.sls b/user_salt/sys-net/sys-net--install-packages.sls new file mode 100644 index 0000000..fdc5975 --- /dev/null +++ b/user_salt/sys-net/sys-net--install-packages.sls @@ -0,0 +1,13 @@ +{% if grains['id'] == 'template-net' %} + +sys-net--install-packages: + pkg.installed: + - refresh: True + - pkgs: + - qubes-core-agent-networking + - qubes-core-agent-network-manager + - NetworkManager-wifi + - network-manager-applet + - polkit + +{% endif %} diff --git a/user_salt/sys-usb/init.sls b/user_salt/sys-usb/init.sls new file mode 100644 index 0000000..5df788d --- /dev/null +++ b/user_salt/sys-usb/init.sls @@ -0,0 +1,5 @@ +include: + - sys-usb.sys-usb--create-template + - sys-usb.sys-usb--install-packages + - sys-usb.sys-usb--create-app-qube + - sys-usb.sys-usb--configure-sys-qube diff --git a/user_salt/sys-usb/sys-usb--configure-sys-qube.sls b/user_salt/sys-usb/sys-usb--configure-sys-qube.sls new file mode 100644 index 0000000..d7c3387 --- /dev/null +++ b/user_salt/sys-usb/sys-usb--configure-sys-qube.sls @@ -0,0 +1,17 @@ +{% if grains['id']== 'dom0' %} + +sys-usb--configure-sys-qube: + qvm.vm: + - name: sys-usb + - present: + - template: app-usb + - label: red + - class: DispVM + - prefs: + - audiovm: + - guivm: + - netvm: + - require: + - sys-usb--create-app-qube + +{% endif %} diff --git a/user_salt/sys-usb/sys-usb--create-app-qube.sls b/user_salt/sys-usb/sys-usb--create-app-qube.sls new file mode 100644 index 0000000..ba75866 --- /dev/null +++ b/user_salt/sys-usb/sys-usb--create-app-qube.sls @@ -0,0 +1,19 @@ +{% if grains['id'] == 'dom0' %} + +sys-usb--create-app-qube: + qvm.vm: + - name: app-usb + - present: + - template: template-usb + - label: red + - prefs: + - label: red + - audiovm: + - guivm: + - netvm: + - autostart: False + - template_for_dispvms: True + - require: + - qvm: sys-usb--create-template + +{% endif %} diff --git a/user_salt/sys-usb/sys-usb--create-template.sls b/user_salt/sys-usb/sys-usb--create-template.sls new file mode 100644 index 0000000..a786114 --- /dev/null +++ b/user_salt/sys-usb/sys-usb--create-template.sls @@ -0,0 +1,26 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-debian-minimal + +{% if grains['id'] == 'dom0' %} + +sys-usb--create-template: + qvm.clone: + - name: template-usb + - source: debian-{{ version.debian }}-minimal + - class: TemplateVM + - require: + - qvm: templates--install-debian-{{ version.debian }}-minimal + +sys-usb--template-prefs: + qvm.prefs: + - name: template-usb + - label: red + - audiovm: + - guivm: + - netvm: + - require: + - qvm: sys-usb--create-template + +{% endif %} diff --git a/user_salt/sys-usb/sys-usb--install-packages.sls b/user_salt/sys-usb/sys-usb--install-packages.sls new file mode 100644 index 0000000..45ce427 --- /dev/null +++ b/user_salt/sys-usb/sys-usb--install-packages.sls @@ -0,0 +1,10 @@ +{% if grains['id'] == 'template-usb' %} + +sys-usb--install-packages: + pkg.installed: + - refresh: True + - pkgs: + - qubes-usb-proxy + - qubes-input-proxy-sender + +{% endif %} diff --git a/user_salt/sys-whonix/init.sls b/user_salt/sys-whonix/init.sls new file mode 100644 index 0000000..15db00c --- /dev/null +++ b/user_salt/sys-whonix/init.sls @@ -0,0 +1,2 @@ +include: + - sys-whonix.sys-whonix--prefs diff --git a/user_salt/sys-whonix/sys-whonix--prefs.sls b/user_salt/sys-whonix/sys-whonix--prefs.sls new file mode 100644 index 0000000..9298484 --- /dev/null +++ b/user_salt/sys-whonix/sys-whonix--prefs.sls @@ -0,0 +1,17 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-whonix-gw + +{% if grains['id'] == 'dom0' %} + +sys-whonix--prefs: + qvm.prefs: + - name: sys-whonix + - netvm: sys-vpn-mullvad-for-tor + - audiovm: + - guivm: + - require: + - qvm: templates--install-whonix-gw-{{ version.whonix }} + +{% endif %} diff --git a/user_salt/templates/templates--install-debian-minimal.sls b/user_salt/templates/templates--install-debian-minimal.sls new file mode 100644 index 0000000..e21d92f --- /dev/null +++ b/user_salt/templates/templates--install-debian-minimal.sls @@ -0,0 +1,17 @@ +{% import "templates/versions.jinja" as version %} + +{% if grains['id'] == 'dom0' %} + +templates--install-debian-{{ version.debian }}-minimal: + qvm.template_installed: + - name: debian-{{ version.debian }}-minimal + - fromrepo: qubes-templates-itl + +templates--debian-{{ version.debian }}-minimal-prefs: + qvm.prefs: + - name: debian-{{ version.debian }}-minimal + - audiovm: + - guivm: + - netvm: + +{% endif %} diff --git a/user_salt/templates/templates--install-fedora-minimal.sls b/user_salt/templates/templates--install-fedora-minimal.sls new file mode 100644 index 0000000..0e30b88 --- /dev/null +++ b/user_salt/templates/templates--install-fedora-minimal.sls @@ -0,0 +1,17 @@ +{% import "templates/versions.jinja" as version %} + +{% if grains['id'] == 'dom0' %} + +templates--install-fedora-{{ version.fedora }}-minimal: + qvm.template_installed: + - name: fedora-{{ version.fedora }}-minimal + - fromrepo: qubes-templates-itl + +templates--fedora-{{ version.fedora }}-minimal-prefs: + qvm.prefs: + - name: fedora-{{ version.fedora }}-minimal + - audiovm: + - guivm: + - netvm: + +{% endif %} diff --git a/user_salt/templates/templates--install-whonix-gw.sls b/user_salt/templates/templates--install-whonix-gw.sls new file mode 100644 index 0000000..13ca859 --- /dev/null +++ b/user_salt/templates/templates--install-whonix-gw.sls @@ -0,0 +1,17 @@ +{% import "templates/versions.jinja" as version %} + +{% if grains['id'] == 'dom0' %} + +templates--install-whonix-gw-{{ version.whonix }}: + qvm.template_installed: + - name: whonix-gateway-{{ version.whonix }} + - fromrepo: qubes-templates-itl + +templates--whonix-gw-{{ version.whonix }}-prefs: + qvm.prefs: + - name: whonix-gateway-{{ version.whonix }} + - audiovm: + - guivm: + - netvm: + +{% endif %} diff --git a/user_salt/templates/templates--install-whonix-ws.sls b/user_salt/templates/templates--install-whonix-ws.sls new file mode 100644 index 0000000..37596a2 --- /dev/null +++ b/user_salt/templates/templates--install-whonix-ws.sls @@ -0,0 +1,17 @@ +{% import "templates/versions.jinja" as version %} + +{% if grains['id'] == 'dom0' %} + +templates--install-whonix-ws-{{ version.whonix }}: + qvm.template_installed: + - name: whonix-workstation-{{ version.whonix }} + - fromrepo: qubes-templates-itl + +templates--whonix-ws-{{ version.whonix }}-prefs: + qvm.prefs: + - name: whonix-workstation-{{ version.whonix }} + - audiovm: + - guivm: + - netvm: + +{% endif %} diff --git a/user_salt/templates/versions.jinja b/user_salt/templates/versions.jinja new file mode 100644 index 0000000..8441c24 --- /dev/null +++ b/user_salt/templates/versions.jinja @@ -0,0 +1,3 @@ +{% set debian = salt['pillar.get']('template:debian:version') %} +{% set fedora = salt['pillar.get']('template:fedora:version') %} +{% set whonix = salt['pillar.get']('template:whonix:version') %} diff --git a/user_salt/top.sls b/user_salt/top.sls new file mode 100644 index 0000000..8bbe26c --- /dev/null +++ b/user_salt/top.sls @@ -0,0 +1,133 @@ +{% import "templates/versions.jinja" as version %} + +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : +# +# 1) Intial Setup: sync any modules, etc +# --> qubesctl saltutil.sync_all +# +# 2) Initial Key Import: +# --> qubesctl state.sls salt.gnupg +# +# 3) Highstate will execute all states +# --> qubesctl state.highstate +# +# 4) Highstate test mode only. Note note all states seem to conform to test +# mode and may apply state anyway. Needs more testing to confirm or not! +# --> qubesctl state.highstate test=True + +# === User Defined Salt States ================================================ +#user: +# '*': +# - locale + +#user: + # '*': + # - top.sls + +user: + '*': + - common.journald + - common.darkmode + - common.bash + - common.onionize-repositories + + dom0: + - common.disk-trimming + - common.logrotate + - common.remove-unwanted.remove-unwanted--domzero-packages + + debian-{{ version.debian }}-minimal: + - common.remove-unwanted.remove-unwanted--debian-packages + + fedora-{{ version.fedora }}-minimal: + - common.onionize-repositories + + whonix-gateway-{{ version.whonix }}: + - common.kernel.kernel--disable-sound + + whonix-workstation-{{ version.whonix }}: + - common.kernel.kernel--disable-sound + + dom0 or template-firewall: + - sys-firewall + - common.kernel.kernel--disable-sound + + dom0 or template-audio: + - sys-audio + - common.remove-unwanted.remove-unwanted--debian-systemd-services + + dom0 or whonix-workstation-{{ version.whonix }}-dvm: + - whonix-workstation-dvm + + dom0 or template-usb: + - sys-usb + - common.kernel.kernel--disable-sound + - common.remove-unwanted.remove-unwanted--debian-systemd-services + + dom0 or template-net: + - sys-net + - common.kernel.kernel--disable-sound + + dom0 or template-default-mgmt-dvm: + - default-mgmt-dvm + - common.kernel.kernel--disable-sound + - common.remove-unwanted.remove-unwanted--debian-systemd-services + + dom0 or template-vpn-mullvad or app-vpn-mullvad or template-vpn-mullvad-for-tor or app-vpn-mullvad-for-tor: + - mullvad-vpn + - common.kernel.kernel--disable-sound + + dom0 or template-default-dvm: + - default-dvm + - common.kernel.kernel--disable-sound + - common.remove-unwanted.remove-unwanted--debian-systemd-services + + dom0 or template-pwmanager: + - pwmanager + - common.kernel.kernel--disable-sound + - common.remove-unwanted.remove-unwanted--debian-systemd-services + + dom0 or template-archive: + - archive + - common.kernel.kernel--disable-sound + - common.remove-unwanted.remove-unwanted--debian-systemd-services + + dom0 or template-notes: + - notes + - common.kernel.kernel--disable-sound + - common.remove-unwanted.remove-unwanted--debian-systemd-services + + dom0 or template-mullvad-browser: + - mullvad-browser + + dom0 or template-dev: + - dev + - common.kernel.kernel--disable-sound + + dom0 or template-ssh or template-split-ssh or app-ssh or app-split-ssh: + - split-ssh + - common.kernel.kernel--disable-sound + + dom0 or template-split-ssh: + - common.remove-unwanted.remove-unwanted--debian-systemd-services + + dom0 or template-btc or template-btc-offline: + - split-btc + - common.kernel.kernel--disable-sound + + dom0 or template-btc-offline: + - common.remove-unwanted.remove-unwanted--debian-systemd-services + + dom0 or template-split-gpg: + - split-gpg + - common.kernel.kernel--disable-sound + - common.remove-unwanted.remove-unwanted--debian-systemd-services + + dom0 or template-split-gpg-legacy: + - split-gpg-legacy + - common.kernel.kernel--disable-sound + - common.remove-unwanted.remove-unwanted--debian-systemd-services + + dom0 or sys-whonix: + - sys-whonix + - common.kernel.kernel--disable-sound diff --git a/user_salt/whonix-workstation-dvm/init.sls b/user_salt/whonix-workstation-dvm/init.sls new file mode 100644 index 0000000..a23ca9e --- /dev/null +++ b/user_salt/whonix-workstation-dvm/init.sls @@ -0,0 +1,2 @@ +include: + - whonix-workstation-dvm.whonix-workstation-dvm--app-qube-prefs diff --git a/user_salt/whonix-workstation-dvm/whonix-workstation-dvm--app-qube-prefs.sls b/user_salt/whonix-workstation-dvm/whonix-workstation-dvm--app-qube-prefs.sls new file mode 100644 index 0000000..d5c918e --- /dev/null +++ b/user_salt/whonix-workstation-dvm/whonix-workstation-dvm--app-qube-prefs.sls @@ -0,0 +1,17 @@ +{% import "templates/versions.jinja" as version %} + +include: + - templates.templates--install-whonix-ws + +{% if grains['id'] == 'dom0' %} + +whonix-workstation-dvm--app-qube-prefs: + qvm.prefs: + - name: whonix-workstation-{{ version.whonix }}-dvm + - audiovm: sys-audio + - guivm: dom0 + - netvm: sys-whonix + - require: + - qvm: templates--install-whonix-ws-{{ version.whonix }} + +{% endif %} -- 2.39.5