diff --git a/pillar/qvm/sys-gui.sls b/pillar/qvm/sys-gui.sls new file mode 100644 index 0000000..86f6d7d --- /dev/null +++ b/pillar/qvm/sys-gui.sls @@ -0,0 +1,3 @@ +qvm: + sys-gui: + admin-global-permissions: 'rwx' \ No newline at end of file diff --git a/pillar/qvm/sys-gui.top b/pillar/qvm/sys-gui.top new file mode 100644 index 0000000..2899950 --- /dev/null +++ b/pillar/qvm/sys-gui.top @@ -0,0 +1,7 @@ +# -*- coding: utf-8 -*- +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : + +base: + dom0: + - match: nodegroup + - qvm.sys-gui \ No newline at end of file diff --git a/qvm/sys-gui-template.sls b/qvm/sys-gui-template.sls new file mode 100644 index 0000000..468354c --- /dev/null +++ b/qvm/sys-gui-template.sls @@ -0,0 +1,48 @@ +# -*- coding: utf-8 -*- +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : + +## +# qvm.sys-gui-template +# ==================== +## + +# WIP: until we have our group packages included +# in qubes repository, we explicitely list needed packages +sys-gui-xfce: + pkg.installed: + - pkgs: + - qubes-vm-guivm + - qubes-manager + - xfce4-settings-qubes + - adwaita-gtk2-theme + - adwaita-icon-theme + - albatross-gtk2-theme + - albatross-gtk3-theme + - albatross-xfwm4-theme + - alsa-utils + - arc-theme + - bluebird-gtk2-theme + - bluebird-gtk3-theme + - bluebird-xfwm4-theme + - greybird-gtk2-theme + - greybird-gtk3-theme + - greybird-xfwm4-theme + - gtk-xfce-engine + - xdg-user-dirs-gtk + - xfce4-about + - xfce4-appfinder + - xfce4-datetime-plugin + - xfce4-panel + - xfce4-places-plugin + - xfce4-power-manager + - xfce4-pulseaudio-plugin + - xfce4-screenshooter-plugin + - xfce4-session + - xfce4-settings + - xfce4-taskmanager + - xfce4-terminal + - xfconf + - xfdesktop + - xfwm4 + - xfwm4-theme-nodoka + - xfwm4-themes diff --git a/qvm/sys-gui-vm.sls b/qvm/sys-gui-vm.sls new file mode 100644 index 0000000..ccb2ac0 --- /dev/null +++ b/qvm/sys-gui-vm.sls @@ -0,0 +1,26 @@ +# -*- coding: utf-8 -*- +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : + +## +# qvm.sys-gui-vm +# ============== +## + +# WIP: currently use default user 'user' +/home/user/.config/autostart/xscreensaver.desktop: + file.managed: + - user: user + - mode: 640 + - makedirs: True + - contents: | + [Desktop Entry] + Hidden=true + +/home/user/.config/autostart/xscreensaver-autostart.desktop: + file.managed: + - user: user + - mode: 640 + - makedirs: True + - contents: | + [Desktop Entry] + Hidden=true \ No newline at end of file diff --git a/qvm/sys-gui.sls b/qvm/sys-gui.sls new file mode 100644 index 0000000..73d6306 --- /dev/null +++ b/qvm/sys-gui.sls @@ -0,0 +1,86 @@ +# -*- coding: utf-8 -*- +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : + +## +# qvm.sys-gui +# =========== +## + +qubes-template-{{ salt['pillar.get']('qvm:sys-gui:template', 'fedora-30-xfce') }}: + pkg.installed: [] + +{% from "qvm/template.jinja" import load -%} + +{% load_yaml as defaults -%} +name: sys-gui +present: + - label: black + - maxmem: 4000 + - template: {{ salt['pillar.get']('qvm:sys-gui:template', 'fedora-30-xfce') }} +prefs: + - netvm: "" + - guivm: dom0 + - autostart: true +service: + - enable: + - guivm-gui-agent +{%- endload %} + +{{ load(defaults) }} + +# Set 'dom0' keyboard-layout feature +dom0-keyboard-layout: + cmd.run: + - name: qvm-features dom0 keyboard-layout {{ salt['keyboard.get_x']() }} + +# Set 'sys-gui' keyboard-layout feature +sys-gui-keyboard-layout: + cmd.run: + - name: qvm-features sys-gui keyboard-layout {{ salt['keyboard.get_x']() }} + - require: + - qvm: sys-gui + +# Set 'sys-gui' as default GuiVM +sys-gui-default-guivm: + cmd.run: + - name: qubes-prefs default_guivm sys-gui + - require: + - qvm: sys-gui + +# Setup Qubes RPC policy +sys-gui-rpc: + file.managed: + - name: /etc/qubes/policy.d/30-sys-gui.policy + - contents: | + qubes.GetImageRGBA * sys-gui @tag:guivm-sys-gui allow + qubes.GetAppmenus * sys-gui @tag:guivm-sys-gui allow + qubes.SetMonitorLayout * sys-gui @tag:guivm-sys-gui allow + qubes.StartApp * sys-gui @tag:guivm-sys-gui allow + qubes.StartApp * sys-gui @dispvm:@tag:guivm-sys-gui allow + qubes.SyncAppMenus * @tag:guivm-sys-gui dom0 allow target=sys-gui + qubes.WaitForSession * sys-gui @tag:guivm-sys-gui allow + + +# GuiVM (AdminVM) with local 'rwx' permissions +/etc/qubes-rpc/policy/include/admin-local-rwx: + file.append: + - text: | + sys-gui @tag:guivm-sys-gui allow,target=dom0 + +# GuiVM (AdminVM) with global 'ro' permissions +{% if salt['pillar.get']('qvm:sys-gui:admin-global-permissions') == 'ro' %} +/etc/qubes-rpc/policy/include/admin-global-ro: + file.append: + - text: | + sys-gui @adminvm allow,target=dom0 + sys-gui @tag:guivm-sys-gui allow,target=dom0 +{% endif %} + +{% if salt['pillar.get']('qvm:sys-gui:admin-global-permissions') == 'rwx' %} +# GuiVM (AdminVM) with global 'rwx' permissions +/etc/qubes-rpc/policy/include/admin-global-rwx: + file.append: + - text: | + sys-gui @adminvm allow,target=dom0 + sys-gui @tag:guivm-sys-gui allow,target=dom0 +{% endif %} \ No newline at end of file diff --git a/qvm/sys-gui.top b/qvm/sys-gui.top new file mode 100644 index 0000000..01c8013 --- /dev/null +++ b/qvm/sys-gui.top @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : + +# Installs 'sys-gui' GuiVM. +# +# Pillar data will also be merged if available within the ``qvm`` pillar key: +# ``qvm:sys-gui`` +# +# located in ``/srv/pillar/dom0/qvm/init.sls`` +# +# Execute: +# qubesctl top.enable qvm.sys-gui +# qubesctl --all state.highstate + +base: + dom0: + - match: nodegroup + - qvm.sys-gui + {{ salt['pillar.get']('qvm:sys-gui:template', 'fedora-30-xfce') }}: + - qvm.sys-gui-template + sys-gui: + - qvm.sys-gui-vm \ No newline at end of file diff --git a/rpm_spec/qubes-mgmt-salt-dom0-virtual-machines-dom0.spec.in b/rpm_spec/qubes-mgmt-salt-dom0-virtual-machines-dom0.spec.in index 5980e15..5027801 100644 --- a/rpm_spec/qubes-mgmt-salt-dom0-virtual-machines-dom0.spec.in +++ b/rpm_spec/qubes-mgmt-salt-dom0-virtual-machines-dom0.spec.in @@ -73,6 +73,10 @@ fi /srv/formulas/base/virtual-machines-formula/qvm/hide-usb-from-dom0.sls /srv/formulas/base/virtual-machines-formula/qvm/personal.sls /srv/formulas/base/virtual-machines-formula/qvm/personal.top +/srv/formulas/base/virtual-machines-formula/qvm/sys-gui.sls +/srv/formulas/base/virtual-machines-formula/qvm/sys-gui-template.sls +/srv/formulas/base/virtual-machines-formula/qvm/sys-gui-vm.sls +/srv/formulas/base/virtual-machines-formula/qvm/sys-gui.top /srv/formulas/base/virtual-machines-formula/qvm/sys-firewall.sls /srv/formulas/base/virtual-machines-formula/qvm/sys-firewall.top /srv/formulas/base/virtual-machines-formula/qvm/sys-net.sls @@ -103,6 +107,8 @@ fi %config(noreplace) /srv/pillar/base/qvm/sys-net-as-usbvm.top %config(noreplace) /srv/pillar/base/qvm/whonix-testing.sls %config(noreplace) /srv/pillar/base/qvm/whonix-testing.top +%config(noreplace) /srv/pillar/base/qvm/sys-gui.top +%config(noreplace) /srv/pillar/base/qvm/sys-gui.sls /srv/pillar/base/qvm/init.top %config(noreplace) /etc/salt/minion.d/formula-virtual-machines.conf