a bunch of cleanups, and isnic wireguard config is now basically complete

isnic/appvm-isnic.sls

 # -*- coding: utf-8 -*-
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 
-appvm-isnic:
+isnic.present:
     qvm.present:
         - name: isnic
-        - template: debian-10
+        - template: debian-10-desktop
         - label: blue
-        - tags:
-            - work
-            - isnic
+        - require:
+            - qvm: debian-10-desktop.clone
             
-appvm-isnic.prefs:
+isnic.prefs:
     qvm.prefs:
         - name: isnic
         - netvm: sys-wg-isnic
+        - template: debian-10-desktop
+        - label: blue
+        - tags:
+            - work
+            - isnic
         - require:
-            - qvm: appvm-isnic
-            - qvm: netvm-sys-wg-isnic.prefs
+            - qvm: isnic.present
+            - qvm: sys-wg-isnic.prefs

isnic/isnic.sls

+# -*- coding: utf-8 -*-
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 
-isnic.present:
-  qvm.present:
-    - name: isnic
-    - template: debian-9-desktop
-    - label: blue
-      
-isnic.prefs:
-  qvm.prefs:
-    - name: isnic
-    - netvm: sys-net
-    - require:
-        - qvm: isnic.present
+# make sure that /rw/config/hosts.local exists
+/rw/config/hosts.local:
+    file.prepend:
+        - text: |
+            # 
+            # contents of this file are appended to /etc/hosts
+            # on every boot of this vm
+            # it's a good place to configure specfic hosts
+        
+
+# this will add a line to /rw/config/rc.local
+# that will in turn add the required hosts to /etc/hosts in the vm
+# on each boot
+"append /rw/config/hosts.local to /etc/hosts on vm start":
+    file.append:
+        - name: /rw/config/rc.local
+        - text: "cat /rw/config/hosts.local >> /etc/hosts"
+        - require:
+            - file: /rw/config/hosts.local

isnic/isnic.top

@@ -3,4 +3,18 @@
 
 base:
     dom0:
+        - rysieks-qubes.templates.debian-10
+        - rysieks-qubes.templates.debian-10-desktop
+        - rysieks-qubes.templates.debian-10-wg
+        - rysieks-qubes.isnic.netvm-sys-wg-isnic
         - rysieks-qubes.isnic.appvm-isnic
+
+    debian-10-wg:
+        - rysieks-qubes.wireguard.install
+        - rysieks-qubes.wireguard.template-config
+
+    sys-wg-isnic:
+        - rysieks-qubes.wireguard.netvm-config
+        
+    isnic:
+        - rysieks-qubes.isnic.isnic

netvm-sys-wg-isnic.sls → isnic/netvm-sys-wg-isnic.sls

 # -*- coding: utf-8 -*-
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 
-netvm-sys-wg-isnic:
+sys-wg-isnic.present:
     qvm.present:
         - name: sys-wg-isnic
         - template: debian-10-wg
         - label: gray
         - require:
-            - qvm: template-debian-10-wg.prefs
+            - qvm: debian-10-wg.prefs
 
-netvm-sys-wg-isnic.prefs:
+sys-wg-isnic.prefs:
     qvm.prefs:
         - name: sys-wg-isnic
         - mem: 512
@@ -18,4 +18,4 @@ netvm-sys-wg-isnic.prefs:
         - kernel: ''
         - provides-network: true
         - require:
-            - qvm: netvm-sys-wg-isnic
+            - qvm: sys-wg-isnic.present

sys-wireguard-config.sls

@@ -2,6 +2,7 @@
 
 #
 # this is rysiek-specific wireguard config
+# and it only works when sys-wireguard is a standalone vm
 #
 
 /etc/resolv.conf:

sys-wireguard-isnic.top

-base:
-    dom0:
-        - rysieks-qubes.template-debian-10
-        - rysieks-qubes.template-debian-10-wg
-        - rysieks-qubes.netvm-sys-wg-isnic
-        
-    debian-10-wg:
-        - rysieks-qubes.wireguard-install
-
-    sys-wg-isnic:
-        - rysieks-qubes.wireguard-basic-config

templates-basic-utils-debian.sls

@@ -9,3 +9,5 @@ templates-basic-utils-debian.packages:
       - ssh-askpass-gnome
       - git
       - knot-dnsutils
+      - python-apt
+      - fwknop-client

templates/debian-10-desktop.sls

 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 
-debian-10-desktop:
+debian-10-desktop.clone:
   qvm.clone:
+    - name: debian-10-desktop
     - source: debian-10
     - label: black
+    - require:
+        - pkg: debian-10.installed
 
-#debian-10-desktop.prefs:
-#  qvm.prefs:
-#    - name: debian-10-desktop
-#    - netvm: 
+debian-10-desktop.prefs:
+  qvm.prefs:
+    - name: debian-10-desktop
+    - netvm: sys-firewall
+    - require:
+        - qvm: debian-10-desktop.clone

template-debian-10-wg.sls → templates/debian-10-wg.sls

 # -*- coding: utf-8 -*-
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 
-template-debian-10-wg:
-    qvm.vm:
+debian-10-wg.clone:
+    qvm.clone:
         - name: debian-10-wg
-        - clone:
-            - source: debian-10
-            - label: black
-        - tags:
-            - add:
-                - work
-                - networking
-                - security
+        - source: debian-10
+        - label: black
+        - require:
+            - pkg: debian-10.installed
 
-template-debian-10-wg.prefs:
+debian-10-wg.tags:
+    qvm.tags:
+        - name: debian-10-wg
+        - add:
+            - work
+            - networking
+            - security
+        - require:
+            - qvm: debian-10-wg.clone
+            
+debian-10-wg.prefs:
     qvm.prefs:
         - name: debian-10-wg
+        - netvm: sys-firewall
         - kernel: ''
         - virt_mode: hvm
         - require:
-            - qvm: template-debian-10-wg
+            - qvm: debian-10-wg.clone
         

template-debian-10.sls → templates/debian-10.sls

@@ -2,16 +2,23 @@
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 
 ##
-# rysieks-qubes.template-debian-10
+# rysieks-qubes.templates.debian-10
 # ================================
 #
-# Installs 'debian-10-minimal' template.
+# Installs 'debian-10' template.
 #
 # Execute:
-#   qubesctl state.sls rysieks-qubes.template-debian-10 dom0
+#   qubesctl state.sls rysieks-qubes.templates.debian-10 dom0
 ##
 
-template-debian-10:
+debian-10.installed:
   pkg.installed:
     - name:     qubes-template-debian-10
     - fromrepo: qubes-templates-itl
+
+debian-10.prefs:
+    qvm.prefs:
+        - name: debian-10
+        - netvm: sys-firewall
+        - require:
+            - pkg: debian-10.installed

wireguard-basic-config.sls

-# -*- coding: utf-8 -*-
-# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
-
-/rw/config/wg0-privkey:
-    file.absent:
-      - onlyif: test `stat -c "%s" /rw/config/wg0-privkey` -eq '0'
-
-/rw/config/wg0-pubkey:
-    file.absent:
-      - onlyif: test `stat -c "%s" /rw/config/wg0-pubkey` -eq '0'
-
-"wg genkey | tee /rw/config/wg0-privkey | wg pubkey > /rw/config/wg0-pubkey":
-    cmd.run:
-        - creates:
-            - /rw/config/wg0-privkey
-            - /rw/config/wg0-pubkey

wireguard/netvm-config.sls

+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+# remove the wg0.conf config file if it's empty
+/rw/config/wg0.conf:
+    file.absent:
+      - onlyif: test `stat -c "%s" /rw/config/wg0.conf` -eq '0'
+
+# generate the keys
+'echo -e "# this is an automatically generated wg-quick config file\n# please modify it to suit your needs\n\n[Interface]\nAddress = 127.1.1.1/32\nPrivateKey = `wg genkey`\n" > /rw/config/wg0.conf':
+    cmd.run:
+        - creates:
+            - /rw/config/wg0.conf

wireguard/template-config.sls

+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+/etc/wireguard/wg0.conf:
+    file.symlink:
+        - target: /rw/config/wg0.conf
+        - makedirs: True
+        
+/etc/boot.d/wg-quick:
+    file.managed:
+        - source: salt://rysieks-qubes/wireguard/wg-quick
+        - mode: 550
+        - user: root
+        - group: root
+        - makedirs: True

wireguard/wg-quick

+#!/bin/bash
+
+#
+# running wg-quick on boot
+# for all relevant config files in /etc/wireguard/
+#
+
+LOGFILE=/tmp/wg-quick.log
+
+for wgconf in /etc/wireguard/*.conf; do
+    echo "working with: $wgconf" > "$LOGFILE"
+    if ! wg-quick up "$wgconf"; then
+        echo "Error while loading: '$wgconf'" > "$LOGFILE"
+        exit 1;
+    fi
+done
+
+echo "all done at `date +"%F %T"`" > "$LOGFILE"
+
+exit 0