From eed904c7f2d0b944424b6f45ee3f55e201e3c137 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Fri, 5 Jul 2024 16:35:32 +0200 Subject: [PATCH] feat: add Tailscale formula Fixes: https://github.com/ben-grande/qusal/issues/42 --- .qubesbuilder | 1 + .reuse/dep5 | 4 + rpm_spec/qusal-sys-tailscale.spec | 108 ++++++++++++++++++ salt/sys-tailscale/README.md | 58 ++++++++++ salt/sys-tailscale/clone.sls | 8 ++ salt/sys-tailscale/clone.top | 10 ++ salt/sys-tailscale/create.sls | 57 +++++++++ salt/sys-tailscale/create.top | 10 ++ salt/sys-tailscale/files/repo/tailscale.asc | 52 +++++++++ .../files/repo/tailscale.sources | 6 + .../files/repo/tailscale.yum.asc | 52 +++++++++ .../files/repo/tailscale.yum.repo | 9 ++ .../qubes-bind-dirs.d/50-sys-tailscale.conf | 8 ++ .../tailscaled.service.d/50_qusal.conf | 11 ++ salt/sys-tailscale/init.top | 12 ++ salt/sys-tailscale/install-repo.sls | 12 ++ salt/sys-tailscale/install-repo.top | 9 ++ salt/sys-tailscale/install.sls | 56 +++++++++ salt/sys-tailscale/install.top | 9 ++ salt/sys-tailscale/version | 1 + 20 files changed, 493 insertions(+) create mode 100644 rpm_spec/qusal-sys-tailscale.spec create mode 100644 salt/sys-tailscale/README.md create mode 100644 salt/sys-tailscale/clone.sls create mode 100644 salt/sys-tailscale/clone.top create mode 100644 salt/sys-tailscale/create.sls create mode 100644 salt/sys-tailscale/create.top create mode 100644 salt/sys-tailscale/files/repo/tailscale.asc create mode 100644 salt/sys-tailscale/files/repo/tailscale.sources create mode 100644 salt/sys-tailscale/files/repo/tailscale.yum.asc create mode 100644 salt/sys-tailscale/files/repo/tailscale.yum.repo create mode 100644 salt/sys-tailscale/files/server/qubes-bind-dirs.d/50-sys-tailscale.conf create mode 100644 salt/sys-tailscale/files/server/systemd/tailscaled.service.d/50_qusal.conf create mode 100644 salt/sys-tailscale/init.top create mode 100644 salt/sys-tailscale/install-repo.sls create mode 100644 salt/sys-tailscale/install-repo.top create mode 100644 salt/sys-tailscale/install.sls create mode 100644 salt/sys-tailscale/install.top create mode 100644 salt/sys-tailscale/version diff --git a/.qubesbuilder b/.qubesbuilder index bc257ede..306856b1 100644 --- a/.qubesbuilder +++ b/.qubesbuilder @@ -48,6 +48,7 @@ host: - rpm_spec/qusal-sys-ssh.spec - rpm_spec/qusal-sys-ssh-agent.spec - rpm_spec/qusal-sys-syncthing.spec + - rpm_spec/qusal-sys-tailscale.spec - rpm_spec/qusal-sys-usb.spec - rpm_spec/qusal-sys-wireguard.spec - rpm_spec/qusal-terraform.spec diff --git a/.reuse/dep5 b/.reuse/dep5 index 759ac374..831dfff1 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -105,6 +105,10 @@ Files: salt/sys-syncthing/files/repo/* Copyright: 2014 The Syncthing Project License: CC0-1.0 +Files: salt/sys-tailscale/files/repo/* +Copyright: 2020 Tailscale Inc. +License: CC0-1.0 + Files: salt/terraform/files/repo/* Copyright: 2023 HashiCorp Inc. License: CC0-1.0 diff --git a/rpm_spec/qusal-sys-tailscale.spec b/rpm_spec/qusal-sys-tailscale.spec new file mode 100644 index 00000000..3430295c --- /dev/null +++ b/rpm_spec/qusal-sys-tailscale.spec @@ -0,0 +1,108 @@ +# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +%define project sys-tailscale +%define license_csv AGPL-3.0-or-later +## Reproducibility. +%define source_date_epoch_from_changelog 1 +%define use_source_date_epoch_as_buildtime 1 +%define clamp_mtime_to_source_date_epoch 1 +## Changelog is trimmed according to current date, not last date from changelog. +%define _changelog_trimtime 0 +%define _changelog_trimage 0 +%global _buildhost %{name} +## Python bytecode interferes when updates occur and restart is not done. +%undefine __brp_python_bytecompile + +Name: qusal-sys-tailscale +Version: 0.0.1 +Release: 1%{?dist} +Summary: Tailscale environment in Qubes OS +Group: qusal +Packager: %{?_packager}%{!?_packager:Ben Grande } +Vendor: Ben Grande +License: AGPL-3.0-or-later +URL: https://github.com/ben-grande/qusal +BugURL: https://github.com/ben-grande/qusal/issues +Source0: %{name}-%{version}.tar.gz +BuildArch: noarch + +Requires: qubes-mgmt-salt +Requires: qubes-mgmt-salt-dom0 +Requires: qusal-utils + + +%description +Install Tailscale and use it on the "sys-tailscale" or with any other qube you +want to install. + +%prep +%setup -q + +%build + +%check + +%pre + +%install +rm -rf %{buildroot} +install -m 755 -d \ + %{buildroot}/srv/salt/qusal \ + %{buildroot}%{_docdir}/%{name} \ + %{buildroot}%{_defaultlicensedir}/%{name} + +for license in $(echo "%{license_csv}" | tr "," " "); do + license_dir="LICENSES" + if test -d "salt/%{project}/LICENSES"; then + license_dir="salt/%{project}/LICENSES" + fi + install -m 644 "${license_dir}/${license}.txt" %{buildroot}%{_defaultlicensedir}/%{name}/ +done + +install -m 644 salt/%{project}/README.md %{buildroot}%{_docdir}/%{name}/ +rm -rf \ + salt/%{project}/LICENSES \ + salt/%{project}/README.md \ + salt/%{project}/.* +cp -rv salt/%{project} %{buildroot}/srv/salt/qusal/%{name} + +%post +if test "$1" = "1"; then + ## Install + qubesctl state.apply sys-tailscale.create + qubesctl --skip-dom0 --targets=tpl-sys-tailscale state.apply sys-tailscale.install +elif test "$1" = "2"; then + ## Upgrade + true +fi + +%preun +if test "$1" = "0"; then + ## Uninstall + true +elif test "$1" = "1"; then + ## Upgrade + true +fi + +%postun +if test "$1" = "0"; then + ## Uninstall + true +elif test "$1" = "1"; then + ## Upgrade + true +fi + +%files +%defattr(-,root,root,-) +%license %{_defaultlicensedir}/%{name}/* +%doc %{_docdir}/%{name}/README.md +%dir /srv/salt/qusal/%{name} +/srv/salt/qusal/%{name}/* +%dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. + +%changelog + diff --git a/salt/sys-tailscale/README.md b/salt/sys-tailscale/README.md new file mode 100644 index 00000000..e0be2ee8 --- /dev/null +++ b/salt/sys-tailscale/README.md @@ -0,0 +1,58 @@ +# sys-tailscale + +Tailscale environment in Qubes OS. + +## Table of Contents + +* [Description](#description) +* [Installation](#installation) +* [Usage](#usage) + +## Description + +Install Tailscale and use it on the "sys-tailscale" or with any other qube you +want to install. + +## Installation + +* Top: + +```sh +sudo qubesctl top.enable sys-tailscale +sudo qubesctl --targets=tpl-sys-tailscale state.apply +sudo qubesctl top.disable sys-tailscale +``` + +* State: + + + +```sh +sudo qubesctl state.apply sys-tailscale.create +sudo qubesctl --skip-dom0 --targets=tpl-sys-tailscale state.apply sys-tailscale.install +``` + + + +The Tailscale qube requires the Tailscale service to be enabled: + +```sh +qvm-features QUBE service.tailscale 1 +``` + +## Usage + +Authenticate to your Tailnet by following the upstream instructions to +[generate an auth key](https://tailscale.com/kb/1085/auth-keys#generate-an-auth-key). + +On the Tailscale web interface, authorize the new device. + +You may want to [disable automatic key +expiry](https://tailscale.com/kb/1085/auth-keys#key-expiry) to avoid having to +redo the authentication steps. + +There are various functionalities Tailscale provides, consult +[upstream documentation](https://tailscale.com/kb) for more information. There +is also an +[introductory video](https://tailscale.dev/blog/get-started-in-10-nov2023) +covering the basics. diff --git a/salt/sys-tailscale/clone.sls b/salt/sys-tailscale/clone.sls new file mode 100644 index 00000000..0554d7f9 --- /dev/null +++ b/salt/sys-tailscale/clone.sls @@ -0,0 +1,8 @@ +{# +SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +{% from 'utils/macros/clone-template.sls' import clone_template -%} +{{ clone_template('debian-minimal', sls_path) }} diff --git a/salt/sys-tailscale/clone.top b/salt/sys-tailscale/clone.top new file mode 100644 index 00000000..e42692c0 --- /dev/null +++ b/salt/sys-tailscale/clone.top @@ -0,0 +1,10 @@ +{# +SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +base: + 'dom0': + - match: nodegroup + - sys-tailscale.clone diff --git a/salt/sys-tailscale/create.sls b/salt/sys-tailscale/create.sls new file mode 100644 index 00000000..2c26ebb2 --- /dev/null +++ b/salt/sys-tailscale/create.sls @@ -0,0 +1,57 @@ +{# +SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +{%- from "qvm/template.jinja" import load -%} + +include: + - .clone + +{% load_yaml as defaults -%} +name: tpl-{{ slsdotpath }} +force: True +require: +- sls: {{ slsdotpath }}.clone +prefs: +- audiovm: "" +- memory: 300 +- maxmem: 400 +features: +- set: + - default-menu-items: "qubes-run-terminal.desktop qubes-start.desktop" + - menu-items: "qubes-run-terminal.desktop qubes-start.desktop" +{%- endload %} +{{ load(defaults) }} + +{% load_yaml as defaults -%} +name: {{ slsdotpath }} +force: True +require: +- sls: {{ slsdotpath }}.clone +present: +- template: tpl-{{ slsdotpath }} +- label: purple +prefs: +- template: tpl-{{ slsdotpath }} +- label: purple +- audiovm: "" +- vcpus: 1 +- memory: 400 +- maxmem: 500 +- autostart: False +- include_in_backups: True +features: +- set: + - menu-items: "qubes-run-terminal.desktop qubes-start.desktop" +- enable: + - service.tailscale +- disable: + - service.cups + - service.cups-browsed +{%- endload %} +{{ load(defaults) }} + +{% from 'utils/macros/policy.sls' import policy_set with context -%} +{{ policy_set(sls_path, '80') }} diff --git a/salt/sys-tailscale/create.top b/salt/sys-tailscale/create.top new file mode 100644 index 00000000..d5f56f2a --- /dev/null +++ b/salt/sys-tailscale/create.top @@ -0,0 +1,10 @@ +{# +SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +base: + 'dom0': + - match: nodegroup + - sys-tailscale.create diff --git a/salt/sys-tailscale/files/repo/tailscale.asc b/salt/sys-tailscale/files/repo/tailscale.asc new file mode 100644 index 00000000..a137e362 --- /dev/null +++ b/salt/sys-tailscale/files/repo/tailscale.asc @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF5UmbgBEADAA5mxC8EoWEf53RVdlhQJbNnQW7fctUA5yNcGUbGGGTk6XFqO +nlek0Us0FAl5KVBgcS0Bj+VSwKVI/wx91tnAWI36CHeMyPTawdT4FTcS2jZMHbcN +UMqM1mcGs3wEQmKz795lfy2cQdVktc886aAF8hy1GmZDSs2zcGMvq5KCNPuX3DD5 +INPumZqRTjwSwlGptUZrJpKWH4KvuGr5PSy/NzC8uSCuhLbFJc1Q6dQGKlQxwh+q +AF4uQ1+bdy92GHiFsCMi7q43hiBg5J9r55M/skboXkNBlS6kFviP+PADHNZe5Vw0 +0ERtD/HzYb3cH5YneZuYXvnJq2/XjaN6OwkQXuqQpusB5fhIyLXE5ZqNlwBzX71S +779tIyjShpPXf1HEVxNO8TdVncx/7Zx/FSdwUJm4PMYQmnwBIyKlYWlV2AGgfxFk +mt2VexyS5s4YA1POuyiwW0iH1Ppp9X14KtOfNimBa0yEzgW3CHTEg55MNZup6k2Q +mRGtRjeqM5cjrq/Ix15hISmgbZogPRkhz/tcalK38WWAR4h3N8eIoPasLr9i9OVe +8aqsyXefCrziaiJczA0kCqhoryUUtceMgvaHl+lIPwyW0XWwj+0q45qzjLvKet+V +Q8oKLT1nMr/whgeSJi99f/jE4sWIbHZ0wwR02ZCikKnS05arl3v+hiBKPQARAQAB +tERUYWlsc2NhbGUgSW5jLiAoUGFja2FnZSByZXBvc2l0b3J5IHNpZ25pbmcga2V5 +KSA8aW5mb0B0YWlsc2NhbGUuY29tPokCTgQTAQgAOBYhBCWWqZ6qszghiTwKeUWM +qDKVf1hoBQJeVJm4AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEWMqDKV +f1hoWHEP/1DYd9WZrodyV5zy1izvj0FXtUReJi374gDn3cHrG6uYtXcE9HWZhxQD +6nDgYuey5sBhLvPQiE/sl5GYXNw/O95XVk8HS54BHCCYq1GeYkZaiCGLGFBA08JK +7PZItGsfdJHwHfhSMtGPS7Cpmylje9gh8ic56NAhC7c5tGTlD69Y8zGHjnRQC6Hg +wF34jdp8JTQpSctpmiOxOXN+eH8N59zb0k30CUym1Am438AR0PI6RBTnubBH+Xsc +eQhLJnmJ1bM6GP4agXw5T1G/qp95gjIddHXzOkEvrpVfJFCtp91VIlBwycspKYVp +1IKAdPM6CVf/YoDkawwm4y4OcmvNarA5dhWBG0Xqse4v1dlYbiHIFcDzXuMyrHYs +D2Wg8Hx8TD64uBHY0fp24nweCLnaZCckVUsnYjb0A494lgwveswbZeZ6JC5SbDKH +Tc2SE4jq+fsEEJsqsdHIC04d+pMXI95HinJHU1SLBTeKLvEF8Zuk7RTJyaUTjs7h +Ne+xWDmRjjR/D/GXBxNrM9mEq6Jvp/ilYTdWwAyrSmTdotHb+NWjAGpJWj5AZCH9 +HeBr2mtVhvTu3KtCQmGpRiR18zMbmemRXUh+IX5hpWGzynhtnSt7vXOvhJdqqc1D +VennRMQZMb09wJjPcvLIApUMl69r29XmyB59NM3UggK/UCJrpYfmuQINBF5UmbgB +EADTSKKyeF3XWDxm3x67MOv1Zm3ocoe5xGDRApPkgqEMA+7/mjVlahNXqA8btmwM +z1BH5+trjOUoohFqhr9FPPLuKaS/pE7BBP38KzeA4KcTiEq5FQ4JzZAIRGyhsAr+ +6bxcKV/tZirqOBQFC7bH2UAHH7uIKHDUbBIDFHjnmdIzJ5MBPMgqvSPZvcKWm40g +W+LWMGoSMH1Uxd+BvW74509eezL8p3ts42txVNvWMSKDkpiCRMBhfcf5c+YFXWbu +r5qus2mnVw0hIyYTUdRZIkOcYBalBjewVmGuSIISnUv76vHz133i0zh4JcXHUDqc +yLBUgVWckqci32ahy3jc4MdilPeAnjJQcpJVBtMUNTZ4KM7UxLmOa5hYwvooliFJ +wUFPB+1ZwN8d+Ly12gRKf8qA/iL8M5H4nQrML2dRJ8NKzP2U73Fw+n6S1ngrDX8k +TPhQBq4EDjDyX7SW3Liemj5BCuWJAo53/2cL9P9I5Nu3i2pLJOHzjBSXxWaMMmti +kopArlSMWMdsGgb0xYX+aSV7xW+tefYZJY1AFJ1x2ZgfIc+4zyuXnHYA2jVYLAfF +pApqwwn8JaTJWNhny/OtAss7XV/WuTEOMWXaTO9nyNmHla9KjxlBkDJG9sCcgYMg +aCAnoLRUABCWatxPly9ZlVbIPPzBAr8VN/TEUbceAH0nIwARAQABiQI2BBgBCAAg +FiEEJZapnqqzOCGJPAp5RYyoMpV/WGgFAl5UmbgCGwwACgkQRYyoMpV/WGji9w/8 +Di9yLnnudvRnGLXGDDF2DbQUiwlNeJtHPHH4B9kKRKJDH1Rt5426Lw8vAumDpBlR +EeuT6/YQU+LSapWoDzNcmDLzoFP7RSQaB9aL/nJXv+VjlsVH/crpSTTgGDs8qGsL +O3Y2U1Gjo5uMBoOfXwS8o1VWO/5eUwS0KH7hpbOuZcf9U9l1VD2YpGfnMwX1rnre +INJqseQAUL3oyNl76gRzyuyQ4AIA06r40hZDgybH0ADN1JtfVk8z4ofo/GcfoXqm +hifWJa2SwwHeijhdN1T/kG0FZFHs1DBuBYJG3iJ3/bMeL15j1OjncIYIYccdoEUd +uHnp4+ZYj5kND0DFziTvOC4WyPpv3BlBVariPzEnEqnhjx5RYwMabtTXoYJwUkxX +2gAjKqh2tXissChdwDGRNASSDrChHLkQewx+SxT5kDaOhB84ZDnp+urn9A+clLkN +lZMsMQUObaRW68uybSbZSmIWFVM1GovRMgrPG3T6PAykQhFyE/kMFrv5KpPh7jDj +5JwzQkxLkFMcZDdS43VymKEggxqtM6scIRU55i059fLPAVXJG5in1WhMNsmt49lb +KqB6je3plIWOLSPuCJ/kR9xdFp7Qk88GCXEd0+4z/vFn4hoOr85NXFtxhS8k9GfJ +mM/ZfUq7YmHR+Rswe0zrrCwTDdePjGMo9cHpd39jCvc= +=AIVM +-----END PGP PUBLIC KEY BLOCK----- diff --git a/salt/sys-tailscale/files/repo/tailscale.sources b/salt/sys-tailscale/files/repo/tailscale.sources new file mode 100644 index 00000000..f01f7667 --- /dev/null +++ b/salt/sys-tailscale/files/repo/tailscale.sources @@ -0,0 +1,6 @@ +Types: deb +URIs: https://pkgs.tailscale.com/stable/debian +Suites: bookworm +Components: main +Signed-by: /usr/share/keyrings/tailscale.asc +# vim: ft=debsources diff --git a/salt/sys-tailscale/files/repo/tailscale.yum.asc b/salt/sys-tailscale/files/repo/tailscale.yum.asc new file mode 100644 index 00000000..a137e362 --- /dev/null +++ b/salt/sys-tailscale/files/repo/tailscale.yum.asc @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF5UmbgBEADAA5mxC8EoWEf53RVdlhQJbNnQW7fctUA5yNcGUbGGGTk6XFqO +nlek0Us0FAl5KVBgcS0Bj+VSwKVI/wx91tnAWI36CHeMyPTawdT4FTcS2jZMHbcN +UMqM1mcGs3wEQmKz795lfy2cQdVktc886aAF8hy1GmZDSs2zcGMvq5KCNPuX3DD5 +INPumZqRTjwSwlGptUZrJpKWH4KvuGr5PSy/NzC8uSCuhLbFJc1Q6dQGKlQxwh+q +AF4uQ1+bdy92GHiFsCMi7q43hiBg5J9r55M/skboXkNBlS6kFviP+PADHNZe5Vw0 +0ERtD/HzYb3cH5YneZuYXvnJq2/XjaN6OwkQXuqQpusB5fhIyLXE5ZqNlwBzX71S +779tIyjShpPXf1HEVxNO8TdVncx/7Zx/FSdwUJm4PMYQmnwBIyKlYWlV2AGgfxFk +mt2VexyS5s4YA1POuyiwW0iH1Ppp9X14KtOfNimBa0yEzgW3CHTEg55MNZup6k2Q +mRGtRjeqM5cjrq/Ix15hISmgbZogPRkhz/tcalK38WWAR4h3N8eIoPasLr9i9OVe +8aqsyXefCrziaiJczA0kCqhoryUUtceMgvaHl+lIPwyW0XWwj+0q45qzjLvKet+V +Q8oKLT1nMr/whgeSJi99f/jE4sWIbHZ0wwR02ZCikKnS05arl3v+hiBKPQARAQAB +tERUYWlsc2NhbGUgSW5jLiAoUGFja2FnZSByZXBvc2l0b3J5IHNpZ25pbmcga2V5 +KSA8aW5mb0B0YWlsc2NhbGUuY29tPokCTgQTAQgAOBYhBCWWqZ6qszghiTwKeUWM +qDKVf1hoBQJeVJm4AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEWMqDKV +f1hoWHEP/1DYd9WZrodyV5zy1izvj0FXtUReJi374gDn3cHrG6uYtXcE9HWZhxQD +6nDgYuey5sBhLvPQiE/sl5GYXNw/O95XVk8HS54BHCCYq1GeYkZaiCGLGFBA08JK +7PZItGsfdJHwHfhSMtGPS7Cpmylje9gh8ic56NAhC7c5tGTlD69Y8zGHjnRQC6Hg +wF34jdp8JTQpSctpmiOxOXN+eH8N59zb0k30CUym1Am438AR0PI6RBTnubBH+Xsc +eQhLJnmJ1bM6GP4agXw5T1G/qp95gjIddHXzOkEvrpVfJFCtp91VIlBwycspKYVp +1IKAdPM6CVf/YoDkawwm4y4OcmvNarA5dhWBG0Xqse4v1dlYbiHIFcDzXuMyrHYs +D2Wg8Hx8TD64uBHY0fp24nweCLnaZCckVUsnYjb0A494lgwveswbZeZ6JC5SbDKH +Tc2SE4jq+fsEEJsqsdHIC04d+pMXI95HinJHU1SLBTeKLvEF8Zuk7RTJyaUTjs7h +Ne+xWDmRjjR/D/GXBxNrM9mEq6Jvp/ilYTdWwAyrSmTdotHb+NWjAGpJWj5AZCH9 +HeBr2mtVhvTu3KtCQmGpRiR18zMbmemRXUh+IX5hpWGzynhtnSt7vXOvhJdqqc1D +VennRMQZMb09wJjPcvLIApUMl69r29XmyB59NM3UggK/UCJrpYfmuQINBF5UmbgB +EADTSKKyeF3XWDxm3x67MOv1Zm3ocoe5xGDRApPkgqEMA+7/mjVlahNXqA8btmwM +z1BH5+trjOUoohFqhr9FPPLuKaS/pE7BBP38KzeA4KcTiEq5FQ4JzZAIRGyhsAr+ +6bxcKV/tZirqOBQFC7bH2UAHH7uIKHDUbBIDFHjnmdIzJ5MBPMgqvSPZvcKWm40g +W+LWMGoSMH1Uxd+BvW74509eezL8p3ts42txVNvWMSKDkpiCRMBhfcf5c+YFXWbu +r5qus2mnVw0hIyYTUdRZIkOcYBalBjewVmGuSIISnUv76vHz133i0zh4JcXHUDqc +yLBUgVWckqci32ahy3jc4MdilPeAnjJQcpJVBtMUNTZ4KM7UxLmOa5hYwvooliFJ +wUFPB+1ZwN8d+Ly12gRKf8qA/iL8M5H4nQrML2dRJ8NKzP2U73Fw+n6S1ngrDX8k +TPhQBq4EDjDyX7SW3Liemj5BCuWJAo53/2cL9P9I5Nu3i2pLJOHzjBSXxWaMMmti +kopArlSMWMdsGgb0xYX+aSV7xW+tefYZJY1AFJ1x2ZgfIc+4zyuXnHYA2jVYLAfF +pApqwwn8JaTJWNhny/OtAss7XV/WuTEOMWXaTO9nyNmHla9KjxlBkDJG9sCcgYMg +aCAnoLRUABCWatxPly9ZlVbIPPzBAr8VN/TEUbceAH0nIwARAQABiQI2BBgBCAAg +FiEEJZapnqqzOCGJPAp5RYyoMpV/WGgFAl5UmbgCGwwACgkQRYyoMpV/WGji9w/8 +Di9yLnnudvRnGLXGDDF2DbQUiwlNeJtHPHH4B9kKRKJDH1Rt5426Lw8vAumDpBlR +EeuT6/YQU+LSapWoDzNcmDLzoFP7RSQaB9aL/nJXv+VjlsVH/crpSTTgGDs8qGsL +O3Y2U1Gjo5uMBoOfXwS8o1VWO/5eUwS0KH7hpbOuZcf9U9l1VD2YpGfnMwX1rnre +INJqseQAUL3oyNl76gRzyuyQ4AIA06r40hZDgybH0ADN1JtfVk8z4ofo/GcfoXqm +hifWJa2SwwHeijhdN1T/kG0FZFHs1DBuBYJG3iJ3/bMeL15j1OjncIYIYccdoEUd +uHnp4+ZYj5kND0DFziTvOC4WyPpv3BlBVariPzEnEqnhjx5RYwMabtTXoYJwUkxX +2gAjKqh2tXissChdwDGRNASSDrChHLkQewx+SxT5kDaOhB84ZDnp+urn9A+clLkN +lZMsMQUObaRW68uybSbZSmIWFVM1GovRMgrPG3T6PAykQhFyE/kMFrv5KpPh7jDj +5JwzQkxLkFMcZDdS43VymKEggxqtM6scIRU55i059fLPAVXJG5in1WhMNsmt49lb +KqB6je3plIWOLSPuCJ/kR9xdFp7Qk88GCXEd0+4z/vFn4hoOr85NXFtxhS8k9GfJ +mM/ZfUq7YmHR+Rswe0zrrCwTDdePjGMo9cHpd39jCvc= +=AIVM +-----END PGP PUBLIC KEY BLOCK----- diff --git a/salt/sys-tailscale/files/repo/tailscale.yum.repo b/salt/sys-tailscale/files/repo/tailscale.yum.repo new file mode 100644 index 00000000..ca8d187a --- /dev/null +++ b/salt/sys-tailscale/files/repo/tailscale.yum.repo @@ -0,0 +1,9 @@ +[tailscale-stable] +name=Tailscale stable +baseurl=https://pkgs.tailscale.com/stable/fedora/$basearch +enabled=1 +type=rpm +repo_gpgcheck=1 +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-tailscale +# vim: ft=toml diff --git a/salt/sys-tailscale/files/server/qubes-bind-dirs.d/50-sys-tailscale.conf b/salt/sys-tailscale/files/server/qubes-bind-dirs.d/50-sys-tailscale.conf new file mode 100644 index 00000000..a196586d --- /dev/null +++ b/salt/sys-tailscale/files/server/qubes-bind-dirs.d/50-sys-tailscale.conf @@ -0,0 +1,8 @@ +# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +binds+=('/var/lib/tailscale') +binds+=('/var/cache/tailscale') + +# vim: ft=bash diff --git a/salt/sys-tailscale/files/server/systemd/tailscaled.service.d/50_qusal.conf b/salt/sys-tailscale/files/server/systemd/tailscaled.service.d/50_qusal.conf new file mode 100644 index 00000000..a1975283 --- /dev/null +++ b/salt/sys-tailscale/files/server/systemd/tailscaled.service.d/50_qusal.conf @@ -0,0 +1,11 @@ +# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later +# vim: ft=systemd +[Unit] +ConditionPathExists=/var/run/qubes-service/tailscale +After=qubes-sysinit.service + +[Service] +Environment=TS_DEBUG_FIREWALL_MODE=nftables +Environment=TS_NO_LOGS_NO_SUPPORT=true diff --git a/salt/sys-tailscale/init.top b/salt/sys-tailscale/init.top new file mode 100644 index 00000000..d6713eb8 --- /dev/null +++ b/salt/sys-tailscale/init.top @@ -0,0 +1,12 @@ +{# +SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +base: + 'dom0': + - match: nodegroup + - sys-tailscale.create + 'tpl-sys-tailscale': + - sys-tailscale.install diff --git a/salt/sys-tailscale/install-repo.sls b/salt/sys-tailscale/install-repo.sls new file mode 100644 index 00000000..d8673514 --- /dev/null +++ b/salt/sys-tailscale/install-repo.sls @@ -0,0 +1,12 @@ +{# +SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +{% if grains['nodename'] != 'dom0' -%} + +{% from 'utils/macros/install-repo.sls' import install_repo -%} +{{ install_repo(sls_path, 'tailscale') }} + +{% endif -%} diff --git a/salt/sys-tailscale/install-repo.top b/salt/sys-tailscale/install-repo.top new file mode 100644 index 00000000..10e5c855 --- /dev/null +++ b/salt/sys-tailscale/install-repo.top @@ -0,0 +1,9 @@ +{# +SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +base: + 'tpl-sys-tailscale': + - sys-tailscale.install-repo diff --git a/salt/sys-tailscale/install.sls b/salt/sys-tailscale/install.sls new file mode 100644 index 00000000..2573488c --- /dev/null +++ b/salt/sys-tailscale/install.sls @@ -0,0 +1,56 @@ +{# +SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +{% if grains['nodename'] != 'dom0' -%} + +include: + - .install-repo + - utils.tools.common.update + +"{{ slsdotpath }}-systemd": + file.recurse: + - name: /usr/lib/systemd/system/ + - source: salt://{{ slsdotpath }}/files/server/systemd/ + - dir_mode: '0755' + - file_mode: '0644' + - user: root + - group: root + - makedirs: True + +"{{ slsdotpath }}-installed": + pkg.installed: + - require: + - sls: {{ slsdotpath }}.install-repo + - sls: utils.tools.common.update + - file: "{{ slsdotpath }}-systemd" + - install_recommends: False + - skip_suggestions: True + - pkgs: + - qubes-core-agent-networking + - qubes-core-agent-passwordless-root + - tailscale + - bash-completion + - man-db + +"{{ slsdotpath }}-unmask-tailscaled": + service.unmasked: + - name: tailscaled + - runtime: False + +"{{ slsdotpath }}-enable-tailscaled": + service.enabled: + - name: tailscaled + +"{{ slsdotpath }}-bind-dirs": + file.managed: + - name: /etc/qubes-bind-dirs.d/50-{{ slsdotpath }}.conf + - source: salt://{{ slsdotpath }}/files/server/qubes-bind-dirs.d/50-{{ slsdotpath }}.conf + - mode: '0644' + - user: root + - group: root + - makedirs: True + +{% endif -%} diff --git a/salt/sys-tailscale/install.top b/salt/sys-tailscale/install.top new file mode 100644 index 00000000..dc27b0e2 --- /dev/null +++ b/salt/sys-tailscale/install.top @@ -0,0 +1,9 @@ +{# +SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +base: + 'tpl-sys-tailscale': + - sys-tailscale.install diff --git a/salt/sys-tailscale/version b/salt/sys-tailscale/version new file mode 100644 index 00000000..8acdd82b --- /dev/null +++ b/salt/sys-tailscale/version @@ -0,0 +1 @@ +0.0.1