qubes-apply
python script to automate qubes saltstack
git clone https://9o.is/git/qubes-apply.git
sys-vpn.sls
(1943B)
1 {% set default = salt['pillar.get']('qubes:default') %}
2 {% set vpn = salt['pillar.get']('sys-vpn') %}
3 {% set wg = salt['pillar.get']('wireguard') %}
4
5 sys-vpn-template:
6 qvm.clone:
7 - source: fedora-42-minimal
8
9 sys-vpn-template-prefs:
10 qvm.prefs:
11 - name: sys-vpn-template
12 - label: black
13 - memory: {{ default.memory }}
14 - maxmem: {{ default.maxmem }}
15 - vcpus: {{ default.vcpus }}
16
17 {% for key, config in vpn.vms.items() %}
18 {% set name = 'sys-vpn' if key == 'default' else 'sys-vpn-' ~ key %}
19
20 {{name}}-dvm:
21 qvm.vm:
22 - name: {{ name }}-dvm
23 - present:
24 - label: black
25 - template: sys-vpn-template
26 - prefs:
27 - memory: {{ default.memory }}
28 - maxmem: {{ default.maxmem }}
29 - vcpus: {{ default.vcpus }}
30 - template_for_dispvms: True
31 - tags:
32 - add:
33 - vpn
34
35 {{name}}:
36 qvm.vm:
37 - name: {{ name }}
38 - present:
39 - class: DispVM
40 - template: {{ name }}-dvm
41 - label: blue
42 - prefs:
43 - netvm: sys-firewall
44 - autostart: {{ config.autostart }}
45 - provides-network: True
46 - memory: {{ default.memory }}
47 - maxmem: {{ default.maxmem }}
48 - vcpus: {{ default.vcpus }}
49 - features:
50 - set:
51 - gui-window-background-color: '{{ default.winbgcolor }}'
52
53 {{name}}-qvm-firewall:
54 file.managed:
55 - name: ~user/.config/qvm-firewall/{{ name }}
56 - user: user
57 - group: user
58 - mode: 0755
59 - makedirs: True
60 - contents: |
61 #!/bin/bash
62 qvm-firewall {{ name }} reset
63 qvm-firewall {{ name }} del --rule-no 0
64 {%- for key, config in wg.config.items() %}
65 {%- if key != 'default' %}
66 qvm-firewall {{ name }} add accept proto=udp dstports=51820 dsthost={{ config.Endpoint }}
67 {%- endif %}
68 {%- endfor %}
69 qvm-firewall {{ name }} add drop
70 cmd.run:
71 - name: /home/user/.config/qvm-firewall/{{ name }}
72 - onchanges:
73 - file: {{ name }}-qvm-firewall
74
75 {% endfor %}