https://github.com/drkhsh/salt-n-pepper

My Qubes OS SaltStack configuration for automated template deployments.
https://github.com/drkhsh/salt-n-pepper

qubes qubes-os salt saltstack

Last synced: 3 months ago
JSON representation

My Qubes OS SaltStack configuration for automated template deployments.

• Host: GitHub
• URL: https://github.com/drkhsh/salt-n-pepper
• Owner: drkhsh
• License: isc
• Archived: true
• Created: 2022-11-09T23:31:34.000Z (about 2 years ago)
• Default Branch: master
• Last Pushed: 2023-08-08T10:48:11.000Z (over 1 year ago)
• Last Synced: 2024-09-18T19:29:21.037Z (4 months ago)
• Topics: qubes, qubes-os, salt, saltstack
• Language: SaltStack
• Homepage: https://git.drkhsh.at/salt-n-pepper
• Size: 924 KB
• Stars: 7
• Watchers: 4
• Forks: 4
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
```

        █

        █   █     █

███ ███ █  ███   █ █   ███ ███ ███ ███ ███ ███

█     █ █   █     █    █ █ ███ █ █ █ █ ███ █

  █ ███ █   █    █ █   █ █ █   █ █ █ █ █   █

███ ███ ██  ██    ██   ███ ███ ███ ███ ███ █

                       █       █   █

                       █       █   █

```

# Salt & Pepper

My Qubes SaltStack configuration for automated template deployments.

This repository mostly exists for personal reference and sharing between

machines, however **feel free to steal some salt**.

Contains *a lot* of templates, specifically configured for my usecases,

used on two Qubes OS machines for personal and work use. Work-related

templates are stripped out (NDA blabla).

**Beware that some stuff may be very hacky, works on my machine(s)**.

## Install

First, enable user-directories for Salt on Qubes OS (to separate from

pre-installed formulas):

```

qubesctl top.enable qubes.user-dirs

qubesctl state.apply

```

Clone repository contents in a regular qube, then copy it to `dom0`, by

using [`git bundle`](https://git-scm.com/docs/git-bundle).

***WARNING: You are going to copy files from a qube directly into `dom0`! [This

is considered

unsafe](https://www.qubes-os.org/doc/copy-from-dom0/#copying-to-dom0) and can

compromise the security of your whole Qubes system. You have been warned.***

```

qvm-run --pass-io  'cd /path/to/salt-repo/ && git bundle create -

--all' > /tmp/salt.bundle

```

Finally, clone the bundle into the salt user dir (`/srv/user_salt/`):

```

cd /srv/user_salt/

git clone /tmp/salt.bundle .

```

Git's `origin` is now set to the bundle file, it can be deleted for now.

### Binaries / Dotfiles

- Place static `st` binary in `/srv/user_salt/bin/`

- Clone dotfiles repository in `/srv/user_salt/dotfiles/`

(both are ignored by git)

## Deploy

Use `qubesctl` to enable and deploy states.

```

qubesctl top.enable template-example

qubesctl --targets template-example state.highstate

```

To apply all changed states, use:

`qubesctl --all state.highstate`

## Update

### To dom0

Since the `origin` in the cloned repository in `dom0` is set to the bundle file,

it's enough to get the newest bundle and `git pull` from it:

```

cd /srv/user_salt/

qvm-run --pass-io  'cd /path/to/salt-repo/ && git bundle create -

--all' > /tmp/salt.bundle

git pull # use --rebase if necessary

```

### From dom0

Commit the changes in dom0, and generate a patch bundle per commit:

```

git bundle create /tmp/salt.bundle --all -1 HEAD # or 

```

Use `qvm-copy-to-vm` to get the bundle back to the target qube:

```

qvm-move-to-vm  /tmp/salt.bundle

```

Then, in the relevant qube, check and apply the patch, and push to the upstream

repo:

```

cd /path/to/salt-repo

git pull ~/QuebesIncoming/dom0/salt.bundle # use --rebase if necessary

```

## Pillars

*theme.sls*:

```

theme:

  gtk: Dracula

  icons: Dracula

```

*shell.sls*:

```

shell: mksh

```

Include in top-file accordingly:

```

user:

  '*':

    - shell

    - theme

```