We've been using simple salt formulas to help users with software installation and setup for some time. There's a long standing issue in GitHub about how to handle such formulas. I think we should distribute them as signed packages, with scripts to implement the states when the package is installed. Users don't need to understand salt, or any of the complexity of working in Qubes.
What does this mean in practice?
Instead of a user finding a guide online, wondering whether to create a new template or qubes, copying code or scripts in to dom0 or a template, and running them, they just install a package.
Here's an example:
Let's say a user wants to set up a caching proxy, perhaps following my notes here
They clone a template, install software in to the template, (remembering to mask the service in the template), create a qube, configure the qube, configure bind-dirs in the new qube, set up a new policy in dom0, and then change the repo definitions in all the templates so that the proxy can handle TLS requests.
Instead they install the 3isec-qubes-cacher package, and it's done for them. A new caching proxy is created and the system reconfigured to use it.
[3isec-dom0-current] name = 3isec Qubes Dom0 Repository (updates) baseurl = https://qubes.3isec.org/rpm/r$releasever/current/dom0/fc32 skip_if_unavailable=False enabled = 1 metadata_expire = 6h gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-unmanCreate a file in dom0 with this content at /etc/yum.repos.d/3isec-dom0.repo
All packages are signed with my Qubes OS Signing key.
You'll need to get this from a keyserver, or two, to make sure all is fine:
keyserver.ubuntu.com or pgp.mit.edu
You can also check the Qubes users mailing list or look on github.
Once you have copies of the key, check the fingerprint:
gpg -n --import --import-options import-show unman.pubreplacing unman.pub with the path to the key.
pub rsa4096 2016-06-25 [SC] 4B1F 400D F256 51B5 3C41 41B3 8B3F 30F9 C8C0 C2EF uid [ unknown] unman (Qubes OS signing key)In particular, check that the output from your command contains the fingerprint 4B1F 400D F256 51B5 3C41 41B3 8B3F 30F9 C8C0 C2EF
sub rsa4096 2016-06-27 [S] [expires: 2024-06-30] sub rsa4096 2016-06-25 [E]
When you are happy, copy the key in to dom0:
qvm-run -p QUBE_WHERE_YOU_DOWNLOADED_KEY 'cat PATH_TO_KEY' > RPM-GPG-KEY-unman sudo mv RPM-GPG-KEY-unman /etc/pki/rpm-gpg/
Add the key to the rpm keyring:
sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-unman
cd Downloads rpm -qi 3isec-qubes-task-manager-0.1-1.x86_64.rpmOn the Signature line you should see Key ID fdd1b8244731b36c. This is the signing sub key of my Qubes OS signing key - you can confirm this with
gpg --edit-key unman
To copy the file to dom0, open a terminal window in dom0 and run:
qvm-run -p disp999 'cat Downloads/3isec-qubes-task-manager-0.1-1.x86_64.rpm' > 3isec-qubes-task-manager-0.1-1.x86_64.rpmThen install the package:
sudo dnf install ./3isec-qubes-task-manager-0.1-1.x86_64.rpm
More detailed information about these packages can be seen in the qubes-task tools.
We'll be adding more packages soon.
All these packages use new templates, based off debian-11-minimal. The source code is on GitHub - qubes-task, and in the shaker.