-
-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathsys-usb.sls
107 lines (92 loc) · 2.79 KB
/
sys-usb.sls
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# -*- coding: utf-8 -*-
# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
##
# qvm.sys-usb
# ===========
#
# Installs 'sys-usb' UsbVM.
#
# Pillar data will also be merged if available within the ``qvm`` pillar key:
# ``qvm:sys-usb``
#
# located in ``/srv/pillar/dom0/qvm/init.sls``
#
# Execute:
# qubesctl state.sls qvm.sys-usb dom0
##
{% set default_template = salt['cmd.shell']('qubes-prefs default-template') %}
{% set usb_pcidevs = salt['grains.get']('pci_usb_devs', []) %}
# leave devices listed in rd.qubes.dom0_usb alone
{% for param, value in salt['grains.get']('kernelparams', []) %}
{% if param == 'rd.qubes.dom0_usb' and value is string %}
{% for dev in value.split(',') %}
{% if dev in usb_pcidevs %}
{% do usb_pcidevs.remove(dev) %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
include:
{% if salt['pillar.get']('qvm:sys-usb:disposable', false) %}
- qvm.default-dispvm
{% endif %}
- qvm.hide-usb-from-dom0
{% from "qvm/template.jinja" import load -%}
# Avoid duplicated states
{% if salt['pillar.get']('qvm:sys-usb:name', 'sys-usb') != salt['pillar.get']('qvm:sys-net:name', 'sys-net') %}
{% load_yaml as defaults -%}
name: sys-usb
present:
{% if salt['pillar.get']('qvm:sys-usb:disposable', false) %}
- class: DispVM
- template: {{default_template}}-dvm
{% endif %}
- label: red
- mem: 300
- flags:
- net
prefs:
- netvm: ""
- virt_mode: hvm
- autostart: true
- pcidevs: {{ usb_pcidevs|yaml }}
- pci_strictreset: false
service:
- disable:
- network-manager
- meminfo-writer
{% if salt['pillar.get']('qvm:sys-usb:disposable', false) %}
require:
- qvm: {{default_template}}-dvm
{% endif %}
{%- endload %}
{{ load(defaults) }}
{% else %}
{% set vmname = salt['pillar.get']('qvm:sys-net:name', 'sys-net') %}
{{ vmname }}-usb:
qvm.prefs:
- name: {{ vmname }}
- pcidevs: {{ (salt['grains.get']('pci_net_devs', []) + usb_pcidevs)|yaml }}
- pci_strictreset: False
- require:
- sls: qvm.sys-net
{% endif %}
qubes-input-proxy:
pkg.installed: []
# Setup Qubes RPC policy
sys-usb-input-proxy:
file.prepend:
- name: /etc/qubes-rpc/policy/qubes.InputMouse
{% if salt['pillar.get']('qvm:sys-usb:mouse-action', 'ask') == 'ask' %}
- text: {{ salt['pillar.get']('qvm:sys-usb:name', 'sys-usb') }} dom0 ask,user=root,default_target=dom0
{% elif salt['pillar.get']('qvm:sys-usb:mouse-action', 'ask') == 'allow' %}
- text: {{ salt['pillar.get']('qvm:sys-usb:name', 'sys-usb') }} dom0 allow,user=root
{% endif %}
- require:
- pkg: qubes-input-proxy
/etc/systemd/system/qubes-vm@{{ salt['pillar.get']('qvm:sys-usb:name', 'sys-usb') }}.service.d/50_autostart.conf:
file.managed:
- contents: |
[Unit]
Before=systemd-user-sessions.service
- makedirs: True