I am in the process of learning how Salt is currently (R4.1) used in Qubes OS to automate the creation and configuration of individual qubes. I’ve created a few states to that describe split-SSH, spit-GPG along with a few smaller tasks (Git, SSH and GPG config). I think the split-SSH and split-GPG would have re-use value.
I am treating the split-SSH state as a proof-of-concept and currently I see two main limitations:
- I don’t have a good way to import them from my
dom0. I believe that packaging them could help, but would love if someone could confirm or correct me, and give me some pointers to relevant docs.
- The qubes names are currently hard-coded (
ssh-clientfor readability). I personally use
ssh-clientfor example and I find reasonable to think that one could want to use multiple clients with the same vault. I believe there should be way to use Salt pillar to provide custom names, but I haven’t found the way to target qubes based on pillar data. Again, any pointers would be greatly appreciated. (I’m happy to create a separate discussion on GitHub if that helps.)
- Some of the state applies to the template of the
ssh-client. I hard-coded it to
fedora32, then tried to get that information from the client grains without success. (I think using grains for this purpose is ok, but maybe I’m wrong?) Again, I have no doubt the information about any given qube template is available somewhere, I’d love if someone could point me in the right direction.
Those are a lot of questions, I’m happy to write a how-to or a tutorial for the docs (using split-SSH as an example) if I find the way to complete the loop and create / package / whatever-needs-to-be-done to make a Salt formula convenient to use in Qubes OS.