From f30bd20f54663193a15f28b168ff71e83ada9856 Mon Sep 17 00:00:00 2001
From: Ben Grande <ben.grande.b@gmail.com>
Date: Wed, 19 Jun 2024 15:40:20 +0200
Subject: [PATCH] fix: Print server without RPC service

- Install RPC service to template;
- Move qube configuration to template configuration;
- Start server after the Qubes Services are created;
- Qrexec policy ask to both app and disposable qube; and
- Rename systemd service to qusal prefix instead of qubes.
---
 salt/sys-print/README.md                      |  3 +--
 salt/sys-print/configure.sls                  | 24 -------------------
 salt/sys-print/configure.top                  |  9 -------
 salt/sys-print/create.sls                     |  6 +++++
 .../files/admin/policy/default.policy         |  1 +
 ....service => qusal-print-forwarder.service} |  1 +
 salt/sys-print/init.top                       |  2 --
 salt/sys-print/install-client.sls             |  8 +++++--
 salt/sys-print/install.sls                    | 18 ++++++++++++++
 9 files changed, 33 insertions(+), 39 deletions(-)
 delete mode 100644 salt/sys-print/configure.sls
 delete mode 100644 salt/sys-print/configure.top
 rename salt/sys-print/files/client/systemd/{qubes-print-forwarder.service => qusal-print-forwarder.service} (95%)

diff --git a/salt/sys-print/README.md b/salt/sys-print/README.md
index 56d319f0..04963f8f 100644
--- a/salt/sys-print/README.md
+++ b/salt/sys-print/README.md
@@ -43,7 +43,7 @@ qube that has access to the printer.
 - Top:
 ```sh
 sudo qubesctl top.enable sys-print
-sudo qubesctl --targets=tpl-sys-print,sys-print state.apply
+sudo qubesctl --targets=tpl-sys-print state.apply
 sudo qubesctl top.disable sys-print
 sudo qubesctl state.apply sys-print.appmenus
 ```
@@ -53,7 +53,6 @@ sudo qubesctl state.apply sys-print.appmenus
 ```sh
 sudo qubesctl state.apply sys-print.create
 sudo qubesctl --skip-dom0 --targets=tpl-sys-print state.apply sys-print.install
-sudo qubesctl --skip-dom0 --targets=dvm-sys-print,sys-print state.apply sys-print.configure
 sudo qubesctl state.apply sys-print.appmenus
 ```
 <!-- pkg:end:post-install -->
diff --git a/salt/sys-print/configure.sls b/salt/sys-print/configure.sls
deleted file mode 100644
index a88fe9fa..00000000
--- a/salt/sys-print/configure.sls
+++ /dev/null
@@ -1,24 +0,0 @@
-{#
-SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
-SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
-
-SPDX-License-Identifier: AGPL-3.0-or-later
-#}
-
-"{{ slsdotpath }}-bind-dirs":
-  file.managed:
-    - name: /rw/config/qubes-bind-dirs.d/50-sys-print.conf
-    - source: salt://{{ slsdotpath }}/files/server/qubes-bind-dirs.d/50-sys-print.conf
-    - mode: '0644'
-    - user: root
-    - group: root
-    - makedirs: True
-
-"{{ slsdotpath }}-rpc":
-  file.managed:
-    - name: /etc/qubes-rpc/qusal.Print
-    - source: salt://{{ slsdotpath }}/files/server/rpc/qusal.Print
-    - mode: '0755'
-    - user: root
-    - group: root
-    - makedirs: True
diff --git a/salt/sys-print/configure.top b/salt/sys-print/configure.top
deleted file mode 100644
index 6d3507d0..00000000
--- a/salt/sys-print/configure.top
+++ /dev/null
@@ -1,9 +0,0 @@
-{#
-SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
-
-SPDX-License-Identifier: AGPL-3.0-or-later
-#}
-
-base:
-  'dvm-sys-print,sys-print':
-    - sys-print.configure
diff --git a/salt/sys-print/create.sls b/salt/sys-print/create.sls
index 5520f01f..3bb4f0b9 100644
--- a/salt/sys-print/create.sls
+++ b/salt/sys-print/create.sls
@@ -88,6 +88,9 @@ features:
   - service.evolution-data-server
 - set:
   - menu-items: "system-config-printer.desktop simple-scan.desktop qubes-run-terminal.desktop qubes-open-file-manager.desktop qubes.start.desktop"
+tags:
+- add:
+  - "print-server"
 {%- endload %}
 {{ load(defaults) }}
 
@@ -120,6 +123,9 @@ features:
   - service.evolution-data-server
 - set:
   - menu-items: "system-config-printer.desktop simple-scan.desktop qubes-run-terminal.desktop qubes-open-file-manager.desktop qubes.start.desktop"
+tags:
+- add:
+  - "print-server"
 {%- endload %}
 {{ load(defaults) }}
 
diff --git a/salt/sys-print/files/admin/policy/default.policy b/salt/sys-print/files/admin/policy/default.policy
index d9b350d8..83781671 100644
--- a/salt/sys-print/files/admin/policy/default.policy
+++ b/salt/sys-print/files/admin/policy/default.policy
@@ -4,6 +4,7 @@
 
 ## Do not modify this file, create a new policy with with a lower number in the
 ## file name instead. For example `30-user.policy`.
+qusal.Print * @anyvm @tag:print-server ask
 qusal.Print * @anyvm @default ask default_target=sys-print
 qusal.Print * @anyvm @anyvm deny
 ## vim:ft=qrexecpolicy
diff --git a/salt/sys-print/files/client/systemd/qubes-print-forwarder.service b/salt/sys-print/files/client/systemd/qusal-print-forwarder.service
similarity index 95%
rename from salt/sys-print/files/client/systemd/qubes-print-forwarder.service
rename to salt/sys-print/files/client/systemd/qusal-print-forwarder.service
index dbd9d23d..dc060138 100644
--- a/salt/sys-print/files/client/systemd/qubes-print-forwarder.service
+++ b/salt/sys-print/files/client/systemd/qusal-print-forwarder.service
@@ -4,6 +4,7 @@
 
 [Unit]
 Description=Print over Qrexec
+After=qubes-sysinit.service
 After=qubes-qrexec-agent.service
 ConditionPathExists=/var/run/qubes-service/print-setup
 
diff --git a/salt/sys-print/init.top b/salt/sys-print/init.top
index 714de1ac..0e18f221 100644
--- a/salt/sys-print/init.top
+++ b/salt/sys-print/init.top
@@ -10,5 +10,3 @@ base:
     - sys-print.create
   'tpl-sys-print':
     - sys-print.install
-  'dvm-sys-print,sys-print':
-    - sys-print.configure
diff --git a/salt/sys-print/install-client.sls b/salt/sys-print/install-client.sls
index 730563bb..c3e0ee24 100644
--- a/salt/sys-print/install-client.sls
+++ b/salt/sys-print/install-client.sls
@@ -7,9 +7,13 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 "{{ slsdotpath }}-client-systemd-print-forwarder":
   file.managed:
-    - name: /usr/lib/systemd/system/qubes-print-forwarder.service
-    - source: salt://{{ slsdotpath }}/files/client/systemd/qubes-print-forwarder.service
+    - name: /usr/lib/systemd/system/qusal-print-forwarder.service
+    - source: salt://{{ slsdotpath }}/files/client/systemd/qusal-print-forwarder.service
     - mode: '0644'
     - user: root
     - group: root
     - makedirs: True
+
+"{{ slsdotpath }}-enable-systemd-service-print-forwarder":
+  service.enabled:
+    - name: qusal-print-forwarder.service
diff --git a/salt/sys-print/install.sls b/salt/sys-print/install.sls
index b6cb5d36..efeb6666 100644
--- a/salt/sys-print/install.sls
+++ b/salt/sys-print/install.sls
@@ -42,4 +42,22 @@ include:
     - addusers:
       - user
 
+"{{ slsdotpath }}-rpc":
+  file.managed:
+    - name: /etc/qubes-rpc/qusal.Print
+    - source: salt://{{ slsdotpath }}/files/server/rpc/qusal.Print
+    - mode: '0755'
+    - user: root
+    - group: root
+    - makedirs: True
+
+"{{ slsdotpath }}-bind-dirs":
+  file.managed:
+    - name: /etc/qubes-bind-dirs.d/50-sys-print.conf
+    - source: salt://{{ slsdotpath }}/files/server/qubes-bind-dirs.d/50-sys-print.conf
+    - mode: '0644'
+    - user: root
+    - group: root
+    - makedirs: True
+
 {% endif -%}