Same for me. And I must say I also found getting started learning Salt (and making sense of it in the context of Qubes OS) required a significant effort. (Enjoyable effort, but significant nontheless!)
A bit of context: writing down configuration to automate complex interactions is something that helps me a lot to making sense of them. That prompted me to start publishing my learning notes (forum thread) and reflect on how I would explain how to use Salt for Qubes OS to someone already comfortable with the tasks they want to automate. (That’s a key part where I agree totally with the thoughts that @adw and @Sven posted above.)
To build on the above, my takeaways so far:
- There are a few recurrent patterns that are specific to Qubes OS.
- Even if it’s not obvious at first, using Salt in Qubes OS isn’t that different from using Salt otherwise because the Qubes OS team provides tools to manage the qubes themselves.
- Salt is extremely flexible, its docs reflect that, and that makes it harder to get started. I am convinced that providing opinionated ways to render a few recurrent patterns can provide guidance to decompose complex scenarios in a collection of simpler parts. Once that done, in my experience, the Salt concepts handle the coordination of smaller pieces nicely, the official Salt docs become very useful reference material and the resulting states/formulas can be quite readable.
- Automated testing of Salt states and formulas requires a significant setup. I haven’t settled on anything satisfactory yet myself.
I’ve been able to create a range of states and formulas from the following limited set of patterns.
I’ll use “qube” generically for brevity, some of the patterns make sense for an AppVM or a TemplateVM or dom0 or several of them but the idea is the same:
- ensuring that a qube exists
- ensuring that a package is available in a qube
- ensuring that a file is present in a persitent location of a qube
- ensuring that a file is present in a non-persistent location of a qube (that is, gets created when the qube starts)
- ensuring that some content is present in a persistent file in a qube
- ensuring that some content is present in a non-persistent file in a qube (that is, gets added to the file when the qube starts)
Each of those patterns, in turn, can be rendered quite simply in Salt, which is good for review. (Happy to provide examples for discussion if useful.)
That’s what I have so far. To recap: I don’t think how we can skip on formulas being reviewed by the Qubes OS team, or people being able to understand the formulas themselves. That being said, I believe we can decompose most formulas into a collection of well-known patterns (see above for a starting point), which could be a step towards making review less time-consuming and the Salt + Qubes OS learning curve more accessible.