qubes-salt-stuff/Makefile

SHELL = /bin/sh

ifneq (,$(wildcard .bundle-env))
include .bundle-env
endif

ifeq (root,$(shell whoami))
check-root = @true
else
check-root = $(error this target requires root)
endif

ifeq (dom0,$(shell hostname))
check-dom0 = @true
check-domu = $(error this target must be run in the guest qube)
else
check-dom0 = $(error this target must be run in dom0)
check-domu = @true
endif

BUNDLEOUT := .bundles/dom0.bundle
BUNDLEIN := .bundles/domu.bundle

clean-workdir = git init -q -b $* && git diff --quiet && git diff --cached --quiet || (echo 'dirty tree; check git status' && false)

create-bundle = git show-ref --verify --quiet refs/remotes/$(1)/$* \
	&& git bundle create $(BUNDLEOUT) $(1)/$*..$* \
	|| git bundle create $(BUNDLEOUT) $*

.PHONY: pull pull/%
pull: pull/$(shell git branch --show-current)
pull/%:
	echo "check dom0"
	$(check-dom0)
	echo "clean workdir"
	$(clean-workdir)
	
	echo "creating bundle"
	qvm-run -p $(GUEST) "cd $(GUEST_REPO) && $(call create-bundle,dom0)" </dev/null

	qvm-run -p $(GUEST) "cat $(GUEST_REPO)/$(BUNDLEIN)" </dev/null >$(BUNDLEIN)

	git remote add $(GUEST) $(BUNDLEIN) || true
	
	git pull $(GUEST) $*:$*
		
	qvm-run -p $(GUEST) "cd $(GUEST_REPO) && git update-ref refs/remotes/dom0/$* $*" </dev/null

	@echo "updated branch $* from $(GUEST)"

apply:
	echo "Applying salt states"
	pushd ./guardian
	sudo qubesctl top.enable guardian
	sudo qubesctl --show-output --all state.apply
	popd
feat: add basic Makefile and .gitignore 2025-10-20 14:53:32 +02:00			`SHELL = /bin/sh`

			`ifneq (,$(wildcard .bundle-env))`
			`include .bundle-env`
			`endif`

			`ifeq (root,$(shell whoami))`
			`check-root = @true`
			`else`
			`check-root = $(error this target requires root)`
			`endif`

			`ifeq (dom0,$(shell hostname))`
			`check-dom0 = @true`
			`check-domu = $(error this target must be run in the guest qube)`
			`else`
			`check-dom0 = $(error this target must be run in dom0)`
			`check-domu = @true`
			`endif`

			`BUNDLEOUT := .bundles/dom0.bundle`
			`BUNDLEIN := .bundles/domu.bundle`

			`clean-workdir = git init -q -b $* && git diff --quiet && git diff --cached --quiet \|\| (echo 'dirty tree; check git status' && false)`

fix: typo, () instead of {} 2025-10-20 15:19:48 +02:00			`create-bundle = git show-ref --verify --quiet refs/remotes/$(1)/$* \`
feat: add basic Makefile and .gitignore 2025-10-20 14:53:32 +02:00			`&& git bundle create $(BUNDLEOUT) $(1)/$..$ \`
			`\|\| git bundle create $(BUNDLEOUT) $*`

debug: makefile testing 2025-10-20 15:08:03 +02:00			`.PHONY: pull pull/%`
feat: add basic Makefile and .gitignore 2025-10-20 14:53:32 +02:00			`pull: pull/$(shell git branch --show-current)`
fix: typo in Makefile pull task 2025-10-20 15:23:06 +02:00			`pull/%:`
debug: add debug echos to help figure out make pull errors 2025-10-20 15:53:33 +02:00			`echo "check dom0"`
feat: add basic Makefile and .gitignore 2025-10-20 14:53:32 +02:00			`$(check-dom0)`
debug: add debug echos to help figure out make pull errors 2025-10-20 15:53:33 +02:00			`echo "clean workdir"`
feat: add basic Makefile and .gitignore 2025-10-20 14:53:32 +02:00			`$(clean-workdir)`
debug: add debug echos to help figure out make pull errors 2025-10-20 15:53:33 +02:00
			`echo "creating bundle"`
feat: add basic Makefile and .gitignore 2025-10-20 14:53:32 +02:00			`qvm-run -p $(GUEST) "cd $(GUEST_REPO) && $(call create-bundle,dom0)" </dev/null`

			`qvm-run -p $(GUEST) "cat $(GUEST_REPO)/$(BUNDLEIN)" </dev/null >$(BUNDLEIN)`

			`git remote add $(GUEST) $(BUNDLEIN) \|\| true`
debug: add debug echos to help figure out make pull errors 2025-10-20 15:53:33 +02:00
feat: add basic Makefile and .gitignore 2025-10-20 14:53:32 +02:00			`git pull $(GUEST) $:$`

			`qvm-run -p $(GUEST) "cd $(GUEST_REPO) && git update-ref refs/remotes/dom0/$* $*" </dev/null`

			`@echo "updated branch $* from $(GUEST)"`
wip: test salts based off of https://theguardian.engineering/blog/info-2024-apr-04-when-security-matters-working-with-qubes-os-at-the-guardian for practice 2025-10-20 15:44:13 +02:00
			`apply:`
			`echo "Applying salt states"`
			`pushd ./guardian`
			`sudo qubesctl top.enable guardian`
			`sudo qubesctl --show-output --all state.apply`
			`popd`