Salt work flow guidance

I’d really like to avoid writing salt states directly in dom0. I can’t seem to find much information of proposed work flows. Was planning on writing a bash script that copies a predefined list of states to dom0://srv/user_* or maybe a state that I can run, but everything I’ve read seems to discourage copying to dom0. What would be the recommended approach here? Just using

qvm-copy <files>

or maybe manually with the gui? Seems rather cumbersome to me.

Realized, I could also pregenerate hashes and verify as part of the step, not really sure though.

One option among others is to package your states and formulas as RPM packages and take advantage of the built-in dom0 secure updates mechanism. I’ve written about that here:

1 Like

And I have implemented it here -

But, using RPMs doesnt fix any problems - if the creator is hostile, or
the source compromised, then it would be possible to embed unwanted
actions in to the RPM.

For your case, I dont see anything wrong in copying plain text files
where you know the effects in to dom0, and running those states.
You could mitigate risk by keeping the dev qube offline.
Then in dom0 you can run a script that tars the files, copies them to
dom0, and untars them in place.

A good alternative, of course is to write the states in dom0 - you
already have the tools there.

I do have experience creating custom debians for internal distribution, rpms wouldn’t be much different. But yeah, I already started writing some shell to copy and verify sha256 sums. Manually creating an offline development qube for this task(before I can get my salt files online) seems to be a good compromise. Thanks, I’ll continue with a scripted copy/hash verification solution from an offline qube.