How can write to rw/config/rc.local file using Salt?

Hello,

I’ve been working on a salt script to configure my development environment. Thanks to some great posts here in the community and good docs I managed to get pretty far already.

I followed mostly this:

• https://forum.qubes-os.org/t/qubes-salt-beginners-guide/20126
• https://dataswamp.org/~solene/2023-06-02-reproducible-config-mgmt-qubes-os.html

And I got to the point where I can already create my template from a cloned fedora template, install the apps that I need and change my default shell.

So far I’ve been only working on a single file I created in /srv/user_salt/developer.sls

And I’ve been using the jinja syntax to decide where to run things.

I trigger salt with: sudo qubesctl --targets=fedora-44-dev state.sls developer

What I wasn’t able to figure out, is how can I apply some changes in the actual AppVM? More precisely I am configuring split ssh, so I know how I can append to the rpc file policy in dom0 with:

/etc/qubes/policy.d/50-ssh.policy:
  file.append:
    - text: |
        qubes.SshAgent * dev vault ask default_target=vault

But how do I get to auto write to the /rw/config/rc.local in my AppVm this part?:

/rw/config/rc.local:
  file.append:
    - text: |
        SSH_VAULT_VM="vault"
        if [ "$SSH_VAULT_VM" != "" ]; then
          export SSH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM"
          rm -f "$SSH_SOCK"
          sudo -u user /bin/sh -c "umask 177 && exec socat 'UNIX-LISTEN:$SSH_SOCK,fork' 'EXEC:qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent'" &
        fi

The command runs all states I created, but it never gets to run the one for rw/config/rc.local

I think is because is gated after this else if block:
{% elif grains ['id'] == 'dev' %}

So it never gets to run the rw command block.

Thanks in advance

Well, you used elif - so either the prior if or following else statement got executed.

Apart from that … you could improve some aspects.

Instead of appending to the rc.local file (which will break if executed multiple times …) you could create a .rc file like /rw/config/rc.local.d/ssh-vault.rc

/rw/config/rc.local.d/ssh-vault.rc:
   file.managed:
      - makedirs: True
      - contents: |
         #!/bin/bash
         SSH_VAULT=...
      - mode: '0751'

These .rc files get executed just like the default rc.local file, but in an organized manner.

For debugging purposes, if your state /rw/config/rc.local: wouldn’t be encapsulated by jinja, you could simply only run the single state instead of the whole file.

sudo qubesctl --targets=fedora-44-dev state.sls_id /rw/config/rc.local developer

Hey,

The only other block would be dom0, my understanding is that during this block I should be creating the template only?

So what I had was:

{% if grains['id'] == 'dom0' %}

… Create template here …

{% elif grains['id'] == 'dev' %}

… create the rc config here …

But yeah, it never gets to the dev block, so I am not sure if dev is the right block id. I am assuming is the name I used when creating the AppVM qube.

Btw, thanks for the /rw/config/rc.local.d/ssh-vault.rc tip, I didn’t know I could do that! Will definitely apply

But I am still not sure how do I trigger salt to run in the AppVM, if I don’t put it behind the jinja block and just run the standalone /rw/config/rc.local: like you suggested will qubes/salt already figure out that it should be triggered in the AppVM?

Thanks again