xyhhx/qubes-mgmt-salt-user
1
0
Fork 0
Code Issues 13 Pull requests Projects Releases Packages Activity Actions
my qubes os workstation configuration
321 commits 56 branches 1 tag 13 MiB
Find a file
xyhhx b72e86a5a8
All checks were successful
/ salt-lint (push) Successful in 13s
Details
/ shellcheck (push) Successful in 14s
Details
docs: update readme
2025-10-19 19:00:41 -04:00
.forgejo/workflows ci: add shellcheck and salt-lint, satisfy them 2025-10-19 14:39:53 -04:00
bin ci: add shellcheck and salt-lint, satisfy them 2025-10-19 14:39:53 -04:00
ci ci: add shellcheck and salt-lint, satisfy them 2025-10-19 14:39:53 -04:00
conf feat: fedora 42 minimal template 2025-09-23 17:53:44 -04:00
qubes-mgmt-salt-user ci: add shellcheck and salt-lint, satisfy them 2025-10-19 14:39:53 -04:00
.editorconfig feat(librewolf-f41): add librewolf qubes 2025-05-11 08:02:42 -04:00
.env.example feat: implement first-time set up scripts 2025-09-16 13:34:49 -04:00
.envrc fix: fix install scripts 2025-09-19 21:54:53 -04:00
.gitattributes feat(dom0): configure desktop 2025-10-15 18:36:25 -04:00
.gitignore feat: implement first-time set up scripts 2025-09-16 13:34:49 -04:00
.salt-lint ci: add shellcheck and salt-lint, satisfy them 2025-10-19 14:39:53 -04:00
.shellcheckrc ci: add shellcheck and salt-lint, satisfy them 2025-10-19 14:39:53 -04:00
LICENSE.md chore: relicense as HL3-FULL 2024-11-12 11:35:59 -05:00
Makefile chore: add render make task 2025-10-19 18:53:40 -04:00
pillar.example feat: configure common theme 2025-09-26 14:28:10 -04:00
README.md docs: update readme 2025-10-19 19:00:41 -04:00

README.md

Qubes OS workstation configuration

Documenting the configuration of my Qubes OS workstation through config-as-code with salt

Mirrors:

codeberg sourcehut 0xacab

Hippocratic License HL3-FULL Latest Release Stars Open Issues Latest Build

Usage

First time set up

  • In a guest VM, clone the repo into /usr/local/src (this avoids username conflicts later)

    git clone ssh://git@codeberg.org/xyhhx/qubes-mgmt-salt-user.git /usr/local/src/qubes-mgmt-salt-user

  • From dom0, run the first-time set up script

    (
  export GUEST=development-qube SRC_DIR=/usr/local/src/qubes-mgmt-salt-user; \
  qvm-run -p "${GUEST}" "cat ${SRC_DIR}/bin/install" | envsubst
) | bash

Using the Make tasks

Note

The Make tasks requires a GUEST variable to be set. It should be the name of the guest domain that holds the repo's source code. You can either pass it directly (GUEST=my-dev-qube make...)

Tip

You can export the GUEST variable to the environment to make life easier

Warning

While the Make tasks try to ensure that commands are only ran in the appropriate domains (i.e. dom0 or guests), the checks are frail. Be mindful of what you're running!

Enabling/disabling top files

Make is used to interact with qubesctl and offers a few helper tasks to make working with top files a bit easier:

  • Enabling/disabling top file(s):

    # Enable a top
make enable dvm-trivalent

# Enable multiple tops
make enable on-fedora-42-minimal provides-app-trivalent dvm-trivalent

# Disabling top(s) work the same
make disable on-fedora-42-minimal

  • Enabling/disabling all tops

    # Enable all tops
make enable-all

# Disable all tops
make disable-all

    Tip

    This is handy when first setting the repo up. You can run make enable-all to quickstart the repo

  • Enable only some tops:

    # Enable only a few tops
make enable-only dom0 uses-stack-dev dvm-dev

    Note

    This will disable all tops in this repo, then enable the ones provided

Running state.apply

The makefile also has helper tasks for running qubesctl state.apply

  • Applying a state to a few targets:

    # Apply Trivalent states
make apply uses-app-trivalent dvm-trivalent

  • Applying "batch targets" (i.e. --all, --templates, --standalones, --apps):

    # Apply all template states
make apply templates

  • These can be used together:

    # Apply all templates and a few other tops
make apply templates dvm-trivalent app-thunderbird

Pulling updates to dom0

Bundling changes and lifting them to dom0 is also easily done with the available Make tasks:

# In dom0
make pull-bundle

Render a statefile

You can check what the Jinja renderer outputs by with the render task:

# in dom0
make render $(pwd)/qubes-mgmt-salt-user/common/hardening/kmods.sls

Note

The parameter must be an absolute path

Acknowledgments

The following resources were very useful for learning Salt, especially in the context of Qubes OS; and for getting inspiration about how to design my own states (thanks!):